Forgot my password to a site this morning and as a result encountered a couple examples of how not to do things.
If you tell me the email address was not found you're leaking information. It's possible to test for the existence of accounts with just an email address. Just say "If the email exists a reset link will be sent".
And then why must my password be "letters and numbers only"? Just take whatever I type in and hash it.... you are sanitizing the input, right? Right?