Previously, recommended practice has been to never let a potential attacker know that you have guessed a correct username, and conversely never inform the user that the username is wrong; instead giving error messages such as "Either the username or password is wrong". However, it now seems that many online services are moving away from this, often not allowing you to input your password until you have provided a correct username. Is there a good (scientific) reason for this?