While not with Wordpress, I've had this conversation multiple times with both management where I'm employed, as well as with client management. I always give pushback when it comes to logins, forgotten passwords, and registrations. Telling someone that a username/email or password is wrong just halved the work needed to break into a system, if not more (since having a username or email correct, with an incorrect password, could allow further social engineering).
For a forgotten password where an email is entered, I always send back a success message. I understand that humans type their emails incorrectly, but allowing a user to enter an email address and seeing a message stating the email wasn't found has now just become a way for an attacker to discover what emails are registered with a website. From there, social engineering becomes much easier, as well as brute forcing ONLY a password and not an email/password combination.
I understand that the complexity in this is due to human frustration, rather than a technology problem. Probably one of the more complex problems to solve. I wish I could paste over these issues by writing more code.
For a forgotten password where an email is entered, I always send back a success message. I understand that humans type their emails incorrectly, but allowing a user to enter an email address and seeing a message stating the email wasn't found has now just become a way for an attacker to discover what emails are registered with a website. From there, social engineering becomes much easier, as well as brute forcing ONLY a password and not an email/password combination.
I understand that the complexity in this is due to human frustration, rather than a technology problem. Probably one of the more complex problems to solve. I wish I could paste over these issues by writing more code.