Currently if you provide an email address that is not associated with an account it will display the error message:
User not found
I’ve always operated under the assumption that one should not provide informative messages when it comes to any authentication functionality. In this case, this type of message could be used for username enumeration.
OWASP considers informative error messages to be a security issue and using generic messages are typically considered a best practice. Also related.
I had created a branch with a simple update that would remove this informative error message, but read that I should try and build consensus here before making a pull request.
So what do people think - would an update like this make sense?