Password recovery email for customer-user - bug or feature or mistake?

[Linwood]

When I do a password recovery for a customer-user from the login screen it works.

But when I do a password recovery making up an email that is not in the database -- it SAYS it sent the email, giving no overt indication it did not have a record of that customer. The log file shows no action taken (so not indication it tried to send any mail).

This may be a feature, so one cannot just guess ID's and get email sent, but it is quite confusing for infrequent visitors who may not know if they registered already.

Is this by design?

And/or might i have something misconfigured that causes it?

[jojo]

yes, this is by design. You should neve be able to use this function to knwo which users are configgured for the system, so it is a security feature.

[Linwood]

yes, this is by design. You should neve be able to use this function to knwo which users are configgured for the system, so it is a security feature.

Fair enough. I may change the wording a bit, something like "If your account is on file an email has been sent", to at least slightly unmuddy the water a tiny bit.

I do get the need, I've been involved with systems that made it ridiculously easy to find account names. But it is always a balance of risk vs. confusion. In my case, today at least, the external users are Joe-random-public, and confusion plays a much bigger role than it might servicing internal employees. Or even if it doesn't, companies tell employees "don't be stupid" all the time; it's hard to tell the public that (and survive).