Did you have to make my job even more complex? :) (just kidding). Thank you. I will put this on my to-do list.

>One thing you can consider is limiting the number of password recovery attempts. For example, allow only 3 attempts per IP address per 24 hour period. Or if there are 3 unsuccessful attempts in a row, then that IP address is locked out permanently.
>
>This whole concept of automated password recovery is a bit scary. People tend to use a single e-mail address for many sites so if one site gets compromised, the harvested addresses can be tried on others.
>
>>I agree that the second approach (in your options) is misleading. So I will use the first approach. I don't see a real downside in terms of security.
>>Thank you.
>>
>>>I've seen this done two ways.
>>>
>>>- Return an error saying the email doesn't exist
>>>- Return a message that password reset instructions were sent. Personally, I don't like this method because the user can enter an invalid email address and think they're getting the reset instructions.
>>>
>>>
>>>>Hi,
>>>>
>>>>Speaking about security aspect of Password recovery. Regardless of the approach of resetting password (email password in plain text, or sending a link to reset a password), what if user enters an email that does not exist in the database? Is it ok to return to the user a message such as "Email not found"? In theory someone can check if this or that person has access to the site (by entering an email address) but do you think this may create a security breach?