To me it's a very bad idea

Preamble

The account security relies on the password, not on the username.
Who tries to keep username secret doesn't have a clear perception of their roles and the differences between them. In this case bad things happens.
Verifying the existence of a username does not give any advantage.
If this PR is meant to mitigate brute force, Joomla provides effective settings to stop brote force at all, so it does not make sense letting attackers execute brute force and try to mitigate the effect.

Trying to keep the username secret is not necessary

For those who want a higher security level, they can use a longer password, or better, two factor authentication.

Trying to keep the username secret is often impossible to achieve

Joomla can be vague during a password recovery attempt, but it can't lie during an account creation request. If I want to know whether an account exists or no, I can use account creation.

Trying to keep the username secret is harmful

From the UX point of view, this is really confusing. It goes against UX guidelines, which indicate to give to the user clear information and instructions.
This PR would make their password recovery (which is notoriously a nightmare) even harder.

I'd like Joomla to continue being a user friendly platform for blog, e-commerce, forum, and everything, but to me this would be a step back.

I understand what you are doing here but there are other ways to see if there is a specific username or email address registered on a site. For example you can attempt to register with this information. Without resolving the "problem" there as well there is little security improvement.

Without resolving the "problem" there as well there is little security improvement.

Isn't this where the captcha comes into action?

Without resolving the "problem" there as well there is little security improvement.

Isn't this where the captcha comes into action?

Only if it is enabled which it is not by default

Only if it is enabled which it is not by default

if you care about that you would enable that. But the otherthing can't be fixed by the user without core hack.

The "lost password" and "lost username" allow attackers to verify the existence of a given username because they respond with different error messages depending if a username exists or not.

How do you resolve the fact that the same thing can be done by trying to register

How do you resolve the fact that the same thing can be done by trying to register

We can change that messages too. e.g. in anycase we show a general message not saying the account exists or not. Or what the error is. Just something like "there was an error please try again" or similiar.

We can change that messages too.

How? Think about it - if I try to register as zero24 at joomla.de what error message could i get that would not reveal that the username zero24 already existed?

If there would be a register form at joomla.de we would add a captcha.

The point I have is that the register form can be disabled (and it is by default) but that two views can not be disabled so IMO they should be protected against that kind of attack. In case there is no catcha code set. Which should not be required on sites that don't use any kind of registration.

Do you get that point?

Valid point about the registration form

I am not sure why you need code and new language strings to resolve this though. Surely a simple change of the existing strings will be enough? Or am I missing something?

I will take a look at the strings in the morning

I am not sure why you need code and new language strings to resolve this though. Surely a simple change of the existing strings will be enough? Or am I missing something?

hmm i see the problem that we changed the complete meaning of the string so i thought it would be better to use a new string than a never translated string that does not reflect the changes we applyed to the code and just result in more confusion for the user.

So after sleeping on it I think it would work if you just always redirect to the next page and always display the same text. No need to complicate things with adding the "If the email address was correct"

Hmm what text do you want me to show in that case?

simply

A reminder has been sent. Please check your mail

Please note that I am still not convinced that any of this will really improve security and that it will most likely decrease usability.

I have entered my email and i keep checking my email but nothing arrived

Did you check your spam folder

Yes I checked that but still nothing

Are you sure you entered the correct email address

I have so many email addresses I was sure that this is the one that I used and i didnt get any errors

Well you must have entered the wrong one or you would have got the email

So why didnt you tell me its the wrong email address

For security

You web guys say that all the time as a lame excuse for making my life harder

Isn't that:

You web guys say that all the time as a lame excuse for making my life harder

the reason because your initial suggestion on the JSST issue was that If the email address was correct a reminder has been sent. Please check your mail. ? Maybe could be extended to If the email address was correct a reminder has been sent. Please check your mail and your spam folder.

To be honest, I don't think that the security benefit is big enough to break the usability of such an important workflow. So, I personally would consider this as a "won't fix"

As the JSST have not given a positive response to this pr I would recommend closing it.