i.e an attacker try to register your account, and then he knows your username or password is wrong can only be wrong password and we haven't actually improved security ? The way to mitigate that would be to not give away this information during the registration proces...