On two-step login forms, why is it the login name and not the password that's asked first?
A lone password is not necessarily verifiable by itself. In particular, if the server does things properly, then it stores not the passwords themselves, but the output of a password hashing function computed over the password. A password hashing function (as opposed to a mere hash function) includes some extra features, including a salt (for very good security-related reasons). Verifying a password then requires knowledge of the corresponding salt. Since the salt is instance-specific (the point of the salt is that distinct users have their own salts), the user identity is required (the user identity is used as an indexing key for the salt).
For one thing the server would not know if the password alone matched any accounts.
In a secure system, passwords are salted and then hashed.
In a simplistic demo, suppose I had three users:
Username Password
bob foobar
alice foobar
maggie foobar
When these passwords are set, a salt is added and a hash is generated:
Username Salt Value to hash Hash result
bob ABCDEF ABCDEFfoobar 778f9aab91717e420e447d7e4cdd84f1
alice 123456 123456foobar 17e9191daecc5b8be26779209769b275
maggie ZXCVBN ZXCVBNfoobar 527cb07b112559cf9c1aff19d28074fa
As you can see, the purpose of the salt is that no two passwords are stored the same, even though the password may match. This is an important security step to take to prevent rainbow tables being used on an extracted password list.
This makes it impossible to determine which account is being logged into on the basis of password alone, because the salt to use isn't known. This is because username is used as a key for the lookup, and without that being provided to the server, the password entered at step one cannot be matched without trying each hash in the user table until a match is found. On a properly configured system this would be too slow, because you're using a slow algorithm (see footnote).
Also, it would be a massive security information leak if the system told you your password was being used by another.
The above example is for illustration purposes only and uses MD5. Never use MD5 to hash passwords - use bcrypt, scrypt or pbkdf2.
Aren't you basically asking "Is there any reason we don't have public passwords and private usernames?"
They're both just text strings. Your idea of enforcing unique passwords is really just saying that usernames are unique. The label you apply to a text box matters not. We call the string that's private a password and the unique one a username or user ID because it's unique.
Security-wise and looking at it in the normal order of Login/Password: If you required both to be unique then you would open an attack on the database, because every password checked would be checked against every user in the database because you have required your passwords to be unique. So both unique doesn't work. Both non-unique doesn't work because you don't know which account is being accessed. So that leaves just having just one unique string. If you're making a single unique text string, might as well make it a public piece of data and check that first (and we term this data Login/ID/Username).