In theory, yes your super secure system should not leak any info. On the other hand, it's nice when you also make this stuff user friendly.
because some systems allow any username, some require email addresses instead, some require username but have some sort of odd limitation on it (must be 10 chars, or must have a number, or 2 numbers, etc), it's actually quite useful to know if I've even got the right username before attempting all of the passwords it might be (which again may be various, because you've imposed stupid limitations on what the password can or cannot be).
Furthermore, if you are going to lock me out of the account, please let me know how many attempts I have. This is especially important on systems which do a permanent lockout (rather than a 20 minute lockout or whatever), which requires a phone call to unlock (a few banks are guilty of this). If I've got 5 tries and can't remember it after 4 tries, then I'll just give in and use the password reset option rather than lock myself out and have to waste time on the phone with customer service.
And then in light of the above two points, if you've got a captcha and you don't tell me what the problem is with my login attempts, I'm going to have to kill you. Captchas these days are so convoluted, it's actually pretty routine to get them wrong. So when my login attempt fails, I'm going to assume over and over that it's the captcha that I'm just not reading correctly (is that distorted Y character an uppercase or lowercase?). When I try that 10 times, only to later discover that the problem was that I couldn't use one of my usual login names because your website required me to use 2 numbers in my login name, blood will be spilled.
Also, in reply to your previous post:
You sound like the kind of person we may be looking to hire soon. I've hired a few people with your level of experience.
> I can put together a secure login-driven Web site using PHP and MySQL.
Error. One of the companies I own is based on a single product, a SECURE login system.
Error, on your part. You just proceeded to tell us about the vulnerabilities in your login system, therefore you too are in error when you say your product is a secure login system. :-)