Enable Devise paranoid mode and ensure the returned message is the same
every time. This will prevent user enumeration (low impact).
Prior to this change a user could type an email in the password reset
field and if the email didn't exist it returned an error. If the email
was valid it returned a message saying the forgot password link had been
emailed. After this change the user will receive a message that if the
email is in our database the reset link will be emailed.
I also changed the throttle mechanism so it still works the same but
now returns the exact same message as above. Previously it would say
'You've already sent a request. Wait a few minutes'. This also allows
user enumeration, although it requires a double-check.
Related to https://dev.gitlab.org/gitlab/gitlabhq/issues/2624
See merge request !2044
ba79d1e5b8