In the forgot_password screen, the user is given the ability to restore their password by inputting their username or email address.
However, the system doesn't alert if a wrong username/email was inserted, and therefore a user could wait forever for the reset password email, not knowing that they will never get it because they supplied the wrong username/email.
This is the message that Moodle gives:
Would you agree with me, that the system should alert in case the wrong username/email was supplied? I doubt that it would a raise security issue, since other large systems - such as WordPress, Basecamp - do alert in such cases (see screenshot of WordPress message, and screenshot of Basecamp message)
I opened a tracker ticket for this issue. Will be glad to discuss it here or there