Final fix for LUI-45 [Forgot Password Form Leaks Valid Usernames]
Created by: bholagabbar
This is the Final Fix for the Leakage of Usernames that was occurring when a user clicked on the 'forgotPassword' link.
https://issues.openmrs.org/browse/LUI-45
The Issue: Whenever a hacker enters the name of a random user, and the user is valid, his/her secret question is shown. This is a major vulnerability that had to be addressed.
The Fix: The solution is to ask ANY user a secret question. If the user is invalid, a random Fake Secret Question is asked whose answer is always false and will not the user pass, locking him out after 5 tries. This secret question is assigned on the basis of the hashvalue of the entered username.