As a security consideration ... you're telling me too much when you specifically say "invalid username" or "invalid password".

If you say "invalid username", then someone can keep throwing usernames with don't-care passwords at the site until they hit a valid one. Then they can start guessing passwords, knowing that they already have a username.

If you use email addresses for usernames, it gets even worse: you have made social engineering of the target user simpler, as the bad person simply needs to try to finagle a known email address into giving away their password (or being phished).

If you just say "invalid user ID or password", then you've given the "I can't log you in because you don't have both of these right" information, but you've not allowed random probing to transmit any information, even if by chance one of the two is right.