Many types of attack on websites are concerned with bypassing the authentication system. Logging into a site usually requires that a user supply a username and a password.
If an attacker can harvest the list of usernames for a site, they have half the authentication information they need to access those accounts.
Guessing passwords is harder, but possible. An attacker will use tools to brute-force common passwords, or if your usernames are email addresses, they might use social engineering to trick users into revealing their password.
Your site will be more secure if an attacker cannot probe it for usernames. Let's look at some common ways that sites leak information about what is and isn't a valid username.
Those are the most common ways users can be enumerated. Let's recap.
Enter Your Username to Reset Your Password
Enter Your Email to Reset Your Password
Enter Your Email to Sign Up
Prove you're not a robot
Pick the bird with the biggest guns!
login_failures = session[:login_failures] || 0 sleep(0.0001 * 2 ** login_failures)
...I see you alex. You are going on my list.
Well, that doesn't help.
One more for the list.