> In Firefox, it is checked if the site actually requires authentication and if not, Firefox will warn the user with a prompt "You are about to log in to the site “www.example.com” with the username “username”, but the website does not require authentication. This may be an attempt to trick you.".

Huh, that's just security theater. The phisher could set up a website that does require authentication, thereby avoiding the warning.

The sensible thing to do would be to display the warning if the username contains unescaped dots. (I.e., http://cnn.com:article123456@fakenews.example.com/ would provoke warnings, but http://cnn%2Ecom:article123456@fakenews.example.com/ would not.)

Thinking about this, I think you're right that this is perhaps less useful than billed. If anything though, I'd rather have both warnings.