I notice most websites simply say "user name or password is not correct", however some will tell you if the user name does not exist.
Are there any security risks letting the user know if they entered an invalid user name versus just telling them the combination of user / password was incorrect?
If you start with the assumption that usernames are or can all be public, then there are no security risks in revealing invalid usernames. However, this assumption is not typically the case, and as such revealing the validity of usernames will make brute force attacks easier.
As a ridiculous example, some movies will show someone using a device to crack a password of a digital safe or door code. Perhaps the lock has an 8 digit password and you can see the digits getting solved one at a time on the special device. If that mechanism worked, you would only have to do 10 attempts per digit, for a total of 80 attempts to brute force the password in the worst case. Compare this to 10^8 = 100 million attempts in the worst case for the normal way digital locks actually work. (Which is you attempt a password, and the lock unlocks or it doesn't.) Along those same lines, separating guessing a username until you hit one, then guessing the password for that username would be easier for the same reason.
That being said, it doesn't necessarily mean this is a bad practice. It usually is the case that usernames can be easily guessed anyway, particularly on a popular site, so the amount of entropy lost by revealing username validity may not be enough to warrant worrying about it.
