So when you hit that forgot password link and enter your email address, it seems that sites (and other programmers I've spoken to) are one of either two mindsets;
- Notify the user whether or not the email address matched with one in the database and based on this advise whether a reset password email was set or;
- Immediately respond with a "Email sent" or "If this user exists, we have sent you a password reset email" regardless of whether or a match occurred resulting in an email sent. This is done (apparently) for security reasons.
I've implemented the latter myself and generally found it raised annoyance with users due to;
- If a user mistypes their email address, they are told an email is sent, but they will never receive one.
- If they've typed in a different email address than the one they registered with, again they won't be getting an email.
- A combination of the above can result in multiple attempts but no receipt of a password reset email, resulting in giving up.
Finally, upon investigation of popular websites that use the second scenario, I've found that attempting to register an account with these sites where the entered email address matches an existing account, a "this email address is already in use, or unavailable" type message is displayed anyway.
As such, what are the benefits not revealing whether a password reset email has matched an account, and, how are these beneficial when registration requires email matches to be revealed?