Copying the email address to a forgotten password page
None as such
The change that you are proposing seems only to be a user experience change. Yes, someone can say that it will make it user friendly for malicious users to lock normal users out of the system but that's not on you.
The bigger problem for you is your policy of locking the user's account when they click on forgot password. It makes it very easy for a malicious user to lock you out of your account. They just have to go to forgot password -> Enter the valid email id -> Hit the reset button.
There aren't any major concerns here, although I would ensure that caching is disabled so that anyone visiting the page in the same browser doesn't gain access to the email address if loading the Forgotten Password page.
Header recommendations from here. Note that while pragma is by specification a request header in HTTP 1.0, many browsers and proxy servers would still interpret it if given in a response.
Cache-Control: private, no-cache, no-store, max-age=0, no-transform
Pragma: no-cache
Expires: 0
You should also mitigate cross-domain referer leakage and storage in the browser history by POSTing the redirect to the Forgotten Password page.
Other comments on your general approach
They are then shown a message telling them that if they have an account, the account has been locked and that a password reset email has been sent to their email account.
Locking the account could be done as a Denial of Service attack against a particular user. If I know that [email protected] has an account on your system and I want to deny him service, I could repeatedly request a password reset for that account in order to keep locking him out.
When a user logs into the website, they get a message to tell them the login details are incorrect, but we do not specify if it is the username or the password that is incorrect.
What do you display if the account is locked out?
If you say that their username and password is incorrect then the user may be confused if it is in fact locked (as per my DoS explanation above).
However, if you say that their account is locked out are you also doing this for non-existent accounts? I ask because if not, as an attacker I could attempt a password reset, and then immediately try logging in as the same user. If I then get a message saying the account is locked, I have then discovered a valid account (this is classed as a User Enumeration vulnerability).
Therefore you may also wish to make your logic appear to lock non-existent accounts if a password reset was attempted. You may want to appear to unlock these after a random period of time, otherwise an attacker could infer that a permanently locked account is an account that does not exist due to it never having had been unlocked.
I cannot see any 'industry standard' that you have broken, when copying usernames to the forgotten password page.
As far as I see it, as long as you are displaying the same message for a valid and invalid username (e-mail address), when this is submitted to the forgotten password facility, you should be fine.
I.E. Regardless of a valid or invalid e-mail address, the user will be shown a message along the lines of: "Thank You! If an account has been created with the supplied e-mail address, an e-mail will be sent to that address, with instructions to reset your password."
The only way that I can see an issue would be, if the username field is enabled with Auto Complete. Obviously if the user is on a shared computer, then they run the risk of their username (e-mail address) potentially being disclosed to an attacker, but that all depends on the type of website that is being discussed here.