I agree with the conclusion, but the even more wildly actionable information is that you can decrease CS costs and increase customer happiness by using copywriting better than "That email and password do not match our records." (Also, as a product owner with an engineering background, I have to come down on the "In this case, prefer UX over security" side of the debate, since there are numerous other options for divining existence of an account/email address and refusing to tell the account owner that gets you no marginal security benefit but does frustrate their use of your system.)
The thing I find pretty hilarious (sad?) is that many sites that give you the generic "username or password is wrong" message are perfectly happy to tell you that a username is in use if you try to sign up for a new account (geez, I guess they sort of have to!).
Thanks, that's hilarious. I can see someone thinking that unique passwords are a way to make sure that people aren't overusing common passwords - and not realizing that you are implicitly letting everyone know what passwords are currently in use.
Guild Wars 2 is like this. I was trying to use the same password for two accounts and received “Unavailable password. You or someone else has used it before."
I think using an email address (and/or a uniquely generated username), as an identifier is the best comprimise. Then a generic 'credentials invalid' => retrieve your account: 'enter email' page to reset passwords. And require a confirmation click from your email for two step sign up.
You could always sniff out if someone has an email address on a lot of systems by visiting the 'forgot your password' page. So perhaps on the account rescue page, just ask for a valid email address, then give a generic thank you message. If the email address exists, send out an email, if not don't bother - but don't give feedback of the sort 'that email address does not exist on the system' etc.
I'd suggest that your last point is providing a bad user experience in the interests of privacy. Many people (myself included) use these forms because we've forgotten our password or at worst forgotten the email we used to sign up. I have about 5 different email addresses I use for various things so I'd be quite disappointed to see a thank you message if it wasn't the email I had actually used to register. There's also the use-case where people mistype their email address.
If you are worried about email mistypes then you could always provide a confirmation. However I'd have thought we'd be pretty good at getting our email address right, and the browsers a lot of the time provide a magic autocomplete for email addresses. I guess it just sees a form input name attribute of 'email' and goes by that.
Multiple email addresses are a pain I'll grant you that. But no worse that a multitude of user names.
Perhaps a better message might be:
'If your email address is registered, then we will attempt to send out an email containing a reset code. Please check your inbox.
If you do not receive an email to your given address, then you may not have registered with given email.
Allow time for the arrival of email, and please check your spam folder.'
But it gets a little long winded... I'd almost rather not have a password, and be sent a new code each time (albeit transparently).
I invariably forget passwords and logins frequently. So go through this process like you as a matter of routine.
Bad times potentially though for when your email service is down or when your email address has expired. Or your email account has been exploited.
