Improve user enumeration protection

[and-rad]

When a user account doesn't exist, visitors are currently informed about that in at least two security-critical situations:

• [x] Account registration
• [ ] Password reset

There are more elegant ways to rephrase user-facing messages and remodel notification behavior that mitigate the security risk and don't sacrifice UX in the process. See here for some inspiration.

Some useful links:

• https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
• https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account
• https://www.nginx.com/blog/rate-limiting-nginx