Give users a hint at where their password reset token has gone

[jace]

Related to #189, when a user resets their password using their username, they are not told what email address their reset code has been sent to. This should be hinted at in one of two ways:

1. Reset code was sent to your email address j***@p***
2. Reset code was sent to your pobox.com email address

The first does not reveal much, but gives both a legit user and an attacker a hint of which address it may have been.

The second is more elegant, but gives away the domain. This isn't a big deal when most users are on Gmail, but it may be a concern for less prominent domains.

[jace]

Twitter's masking format is two letters each of username and domain, followed by * characters matching the exact number of characters. As we've learnt in the Aadhaar trolling incident of May 2017, this is enough information to give away someone's identity. Lastuser should consider (a) revealing a single character, and (b) a fixed number of mask characters (like ***) to avoid revealing character count. Any downsides to this are currently unclear.

[jace]

Resolved in #233.