When you have public profiles, checking for presence of an account is pretty easy anyway.

Right. You can also check for someone's profile with his name or email on Twitter (or even just Google them).

"Those options correspond to however you’ve authenticated with the site in the past. In my case choosing “Twitter” redirects me to Twitter for the standard auth dialog, and picking “Bagcheck” displays a standard password field."

Right, but by typing a few characters I can establish if a user has an account or not, for a subsequent attack.

http://news.ycombinator.com/item?id=3059759 (top comment thread)

http://news.ycombinator.com/item?id=3156841

But how is that different from Googling "site:bagcheck.com John Smith"?

As wgx suggests, it does look like the auto complete shows two Sacha user accounts. I presume this is before you get "those options to choose your authentication method".

Neither is neglecting to restrict the number of attempts to type the correct password.