If a user can’t log in, send a password reset…

If a user can’t log in, send a password reset link. Verify account exists; send reset; advise checking spam; try again in 5 minutes. Never change passwords manually. Do not expose PII by confirming whether an email exists.