diff --git a/app/Http/Controllers/Auth/ForgotPasswordController.php b/app/Http/Controllers/Auth/ForgotPasswordController.php
index 3619b4e5bf..62798745a7 100644
--- a/app/Http/Controllers/Auth/ForgotPasswordController.php
+++ b/app/Http/Controllers/Auth/ForgotPasswordController.php
@@ -87,6 +87,8 @@ class ForgotPasswordController extends Controller
             \Log::info('Password reset attempt: User '.$request->input('username').'failed with exception: '.$e );
         }
 
+        // Prevent timing attack to enumerate users.
+        usleep(500000 + random_int(0, 1500000));
 
         if ($response === \Password::RESET_LINK_SENT) {
             \Log::info('Password reset attempt: User '.$request->input('username').' WAS found, password reset sent');