I just tried the Lost password page, and I think we shouldn't tell the user whether the email was found in the database, to avoid anyone checking up on emails they know. Two worst case scenarios are that our site can be used by spammers to verify addresses they've collected, and that an employer can check which employees are looking for new jobs. We could instead just show a message including the following information:
The email should arrive shortly, IFF the email is found in our user database.
If you don't receive an email, please check the spelling and try again.
For users to be able to detect their error after the fact, we could let the email stay in the field after submission.
To stop pranksters and accidental double-clicks from annoying users, we could also add a restriction that no email will be sent if an email was sent to the same address less than X seconds / minutes before. We should probably change the message to reflect that, to avoid even a white lie (ref. "your email will arrive shortly").
What do you think?
-- Victor Engmark Quidquid latine dictum sit, altum videtur - What is said in Latin, sounds profound