You have a trade-off between information given to the user and protection against attacks.
If you query your database checking for corresponding login and password and it fails, you can only tell the user that either the login or the password is erroneous. Not helping if he does not remember which login you used to register (was it "Arkh01", "arkh" or "Arkh1").
If you query your database for the login, getting the hash and salt you can tell the user if the login is wrong or the password. The user is happy. But someone attacking your website can learn easily that the user "aa" does not exists, but the user "ab" does. As lot of websites give access to a userlist, you can almost always dismiss this concern.
To prevent bruteforce, log the number of attempts made by an IP or on a login and block any further attempt after 5ish errors. Preferably block the IP used, not the account.
About storing hashed passwords, use salts and hmac + sha512 in php : hash_hmac