We do not want to provide any information that would allow an attacker to determine if an entered username/email address is valid or invalid. Otherwise an attacker could enumerate valid accounts for phishing attacks or brute force attack.
=== Email Change and Verification Functions ===
Email verification links should not provide the user with an authenticated session.
Email verification codes must expire after 8 hours.
===Password Storage===