Why are the username and password on two different pages?

[jimm]

Yes, but if they did they are giving away security information: they are acknowledging that the entered email address is a legit delegated login. That's a bad thing to do, security-wise. You don't want bad guys to start trying email addresses and be able to see which ones are good email addresses.

[dmurray]

The bad guys can do exactly the same in the workflow where you redirect them rather than update the page.