Security - User Account Enumeration - Classic + Omeka S


Another security related question/suggestion. When using the Forgot Password link in Omeka Classic it gives you a positive response, “Please check your email for a link to reset your password” if an account exists and a negative response “Unable to reset password” if the email entered does not exist which allows discovery of valid user accounts. This could be convenient but also could be considered a security risk.

Is it possible to give a positive response by default for all password reset requests in Classic?

Has this been considered for security in Omeka S development?