“Forgot password?” should be instant. The site should simply request the user to enter the email address and immediately let the user know if the email address is in the system or not. Otherwise, you could lose out on ordering opportunities.
We tried to order dinner online and Paul (SO) forgot his password. He entered the email address and the response page said it was mailed. Nothing came in after ten minutes of checking. He tried a second time and still no avail. The place’s competitor also has online ordering and we could easily switch our plans.
Another time I was trying to order an item. I registered and tried to purchase the item. But when I signed back in (after not receiving an email within ten minutes), my account didn’t exist. The site would not accept any of the information I entered.
The next time, I registered and confirmed it worked by logging out and back in. Then I tried to order the item again… no luck. Moral: Make sure your order forms and forget password process work.
Giving up, I emailed the company (it had the best deal) and got a reply a few days later suggesting I call. I wrote back saying I prefer to order online because I’m hard of hearing. No reply yet. Another lesson: Reply to customer emails within 24 hours with the only exception being when the office isn’t open. Lesson #2: Offer the customer multiple ways to contact your company.
I’m sorry, but you have this wrong.
One of the most basic security rules is that you do not ever reveal whether it is the password or the username that is incorrect, unless you have a bulletproof method of preventing brute-force attacks. By revealing whether or not an email address exists you allow an attacker to simply run through random email addresses until they get a match. Only then do they expend any energy on trying random passwords. If the two can only be tested together, the chances of getting lucky are minimal, if the two can be tested seperately then it is only a matter of having enough time.