Hi,
Speaking about security aspect of Password recovery. Regardless of the approach of resetting password (email password in plain text, or sending a link to reset a password), what if user enters an email that does not exist in the database? Is it ok to return to the user a message such as "Email not found"? In theory someone can check if this or that person has access to the site (by entering an email address) but do you think this may create a security breach?
"The creative process is nothing but a series of crises." Isaac Bashevis Singer
"My experience is that as soon as people are old enough to know better, they don't know anything at all." Oscar Wilde
"If a nation values anything more than freedom, it will lose its freedom; and the irony of it is that if it is comfort or money that it values more, it will lose that too." W.Somerset Maugham