Currently, login is allowed by email or username. When writing the username correctly but the password incorrectly, the error which will be shown will tell you that the password is incorrect (obviously, because you already know the username).
But, in a security aspect, this might hurt our websites. A hacker can take usernames right out of questions and answers, and start bruteforcing for the password.
My suggestion is: enable logging in only via email and not by username. This way, each user can know only his own email - a hacker cannot know the email of other users, and therefore he has two things to figure out in order to hack an account - both email and password. Then, after completing this step, once someone enters wrong information (either email or password) when trying to log in, the message which will show should be very general (In example: "Information which was entered is incorrect"), in order to not show the hacker which information he got right and which didn't.
What do you think?