Should I give separate messages for an incorrect password and an incorrect username? Or keep it the same for security?

I think having separate m开发者_运维技巧essages may allow for a less frustrating user experience, as someone who has forgotten their details has less to narrow it down to. However, it's then possible for someone to keep scraping the site to determine a list of usernames that are in use.

Is it worth accepting the small security issue, in order to create a better user experience?

When it comes to security, I would always err on the side of caution. Use a generic message.

No it is not worth it. To be safe, you want to give out as little information as possible.