Another similar module you may want to try before trying this module (it has more installs, more popular):
username enumeration protection

The Forgot Password feature of core can be used to gather information such as valid usernames. Then these information may be used to perform brute force attack or account lockout attack(DoS).
This module addresses this by giving the same message for both Valid/invalid username/email Id.

Overview:
Makes password reset form more secured by not disclosing valid usernames

Installation (D9):
composer require 'drupal/secure_password_reset:^1.0@beta'
2. Go to "Administer" -> "Modules" and enable the module.
Thats all there is to it, the password reset form should now give the user the same message in both cases of valid or invalid username

Installation (D7):
1. Copy the secure_password_reset directory to the Drupal sites/<...>/modules/ directory.
2. Go to "Administer" -> "Modules" and enable the module.
Thats all there is to it, the password reset form should now give the user the same message in both cases of valid or invalid username

Project information

Releases