Password reset request - Return consistent message for both existent and non-existent accounts.

[netcatgirl]

Currently, when requesting a new password, it lets the user know if the account exists or not.

We can't find a user with that e-mail address

and

We have e-mailed your password reset link.

maybe the message could be changed to something like

If there is a user account associated with this email address, we have e-mailed a password reset link to {emailAddress}.

I read about it on the owasp.org auth cheat sheet and thought it might apply here.

[MrKrisKrisu]

Thanks for the hint. Will be fixed in the next release. :)

See #4438