22Oca
Best practice for forgot password form, ok to leak that a given e-mail is invalid
On our forgot password reset form, is it ok to leak that a given e-mail address entered is invalid? Or should we always just return success and check your e-mail, even if the e-mail is not valid.
I feel like always returning success can provide a bad user experience, i.e. if a user is trying to remember which e-mail they used for the service.
