I have a question. Why does Gmail throw a message like The email and password that you entered don't match when one of the credentials is wrong like username or password. Why do they not throw errors which will be easily understandable to users like:
If username is valid but not the password then it should throw a
message like Password does not match..
If password is valid but not the username then it should throw a
message like Username does not match..
Why do they throw a message like The email and password that you entered don't match in every case?
Is there is a security issue with being more specific in regards to error messages thrown?
Actually, the new Gmail login page does not do that - it asks you to enter your username in step 1, and then your password in step 2.
If you reveal whether an account exists you are opening up a username enumeration vulnerability. This is useful for an attacker to use in a password guessing or phishing attack:
As an attacker if I can use your login or forgotten password page to narrow my list from 10000 targets to 1000 targets, I will.
Note that some systems, like Gmail or Facebook, usernames are considered public so this is not classed as a particularly high risk vulnerability.
However, if you run "John's Dating Site" (or Ashley Madison) and Alice can find out if her husband Bob is a member simply by trying the login form with Bob's email as the username, then you have a privacy issue on your hands. Interesting write up here: Your affairs were never discreet – Ashley Madison always disclosed customer identities. They nearly fixed their user enumeration bug, but not quite.
In addition, the second point you make would not be possible. If a user enters an invalid username but enters a valid password the authentication system would not be able to determine that the password is correct because it does not know which username to validate it for. Even if it could, revealing that at least one user had that password would be a security concern.