>99.9% of websites on the Internet will only let you create one account for each email address. So if you want to see if an email address has an account, try signing up for a new account with the same email address.
While this is true, it's perfectly reasonable to require a captcha before allowing a new account to be created; greatly limiting the speed at which an attacker could enumerate emails. While it's not going to stop targeted attacks, it will mitigate mass brute forcing of weak passwords.
Regardless of the ease of username enumeration, all of the author's points about what to do are great for most sites. Rate limiting with exponential backoff and 2fa are some of the cheapest and most effective means of increasing the security of your app's authentication process.
But requiring a captcha before validating the uniqueness of each username would be pretty annoying for large websites where many of the usernames I would choose are already taken.
To be fair, parent was specifically referencing email address as the unique login credential, not a username. Presumably if your email is already taken you're not going to get frustrated at a CAPTCHA
Which doesn't matter, because there's no point in keeping usernames secret (and thus no point providing a captcha) unless those usernames are email addresses, in which case it's unlikely that the username you want will be taken.
Only if the returned error code timing for a bad username overalps bad password most of the time. Displaying an obscured error only serves to harm the real users and is of little benefit to the system.
Unless you delay all failed attempts to login by a random time of 500-2000 ms, it's unlikely you'll see much improvement in response rates... having such a random delay is probably helpful anyhow.
But there's no good reason to have a username at all unless users interact with each other or the web-going public, in which case the username is a public part of the URL. Services like twitter or github need @usernames. Other services should just use email addresses.
While this is true, it's perfectly reasonable to require a captcha before allowing a new account to be created; greatly limiting the speed at which an attacker could enumerate emails. While it's not going to stop targeted attacks, it will mitigate mass brute forcing of weak passwords.
Regardless of the ease of username enumeration, all of the author's points about what to do are great for most sites. Rate limiting with exponential backoff and 2fa are some of the cheapest and most effective means of increasing the security of your app's authentication process.