Password Recovery Should Not Indicate If Email Address Is Found

Password Recovery currently indicates whether or not a username/email exists as a user in the system. It shouldn't do that. A better solution would be to just tell the user that an email will be sent to the address if it's in the system. Maybe have it throw a random security question out as well so would-be miners/hackers can't tell if the address exists in the system or not.