This is a bit of general advice for anyone building a forgot password form; if the user enters an email address that does not exist, warn them. Don’t reply with a generic check your email message.

Firstly, to head off the chants of security, security! this only applies to sites with a registration form. Why? Because if you try and register, the site will warn you if the email address is already in use. Therefore the only benefit of not telling users if their email exists is rendered completely moot.

But more importantly? It makes for a shit user experience. Think about it; if you’re a user using the forgot password feature you’re already annoyed because you can’t just get into whatever app you’re trying to use. So you pump in email after email hoping one of them is right, while clicking refresh in Mail waiting to see. Anything you can do to cut down on this frustration is going to make your users lives easier.

Which leads me onto another point. When they get the reset link, do not ask them for their email again. If an attacker is trying random strings, you should be using at least 64 char keys, if not 100 (all with limited lifetimes), rendering an email address redundant. And if the attacker has compromised a users email account, finding their email address is long gone.