I develop a web application where registered users see each others usernames. Log in is performed via HTTPS Basic Authentication based on correct username/password combination. This way an attacker will only need to guess a users password.
Can this be considered a weakness in security? Should I change my login function to accept mail/password combination (because a users mail is more likely to stay secret)? Or is password as sole secret enough?
Having the mail address as the login can make it more difficult for other users on the same system to work out the login name, but data-dumps of accounts hacked elsewhere will definitely include email addresses used to register.
So at best you're trading one (unlikely) attack vector for a worse one. Any gains are not nearly enough to make it worth any development time spent altering that aspect of your application.
In terms of improving security vs. time/cost you're better off looking at 2FA options like OTP for example and requiring more complex passwords and/or periodic password changes.
If the user name is an email address, you should generally not reveal this, for privacy. An email address is linked to an individual, and whether someone uses a particular site is private information - consider Ashley Madison as an example. It can be a little tricky to avoid email enumeration when you consider functions like registration and forgotten password, and side channels like timing. Interestingly, some major sites (e.g. Google) don't follow this principle.
If the user name is a handle the user selects themselves, it's ok to reveal this. A handle in itself isn't liked to an individual - I'm paj28 here on Stack Exchange, but on a different site paj28 could be someone else. This is why most sites that allow peer-to-peer communication have users pick a handle. In fact, it's normally impossible to avoid handle enumeration because the registration function has to block duplicate handles.
A minor issue with user names being non-secret is a particular kind of denial of service attack. Most apps implement a password lockout policy to defend against password brute force attacks. This is usually based on the user name, which means that someone who knows the user name can make repeated invalid logins and cause a denial of service. Some sites use Captcha instead of lockout to avoid this.
Can this be considered a weakness in security?
Yes, without a doubt. And you already know why, an attack will be easier. Whilst not relying on usernames being kept secret, having this information easily accessible certainly does not help your case.
Furthermore, using HTTP basic auth does not allow for control mechanisms that limit the effectiveness of brute forcing. You won't have rate limiting/control or automatic lockouts, etc.
