diff --git a/docs/topics/auth/default.txt b/docs/topics/auth/default.txt
index 05c3a7f693..9cebdf4a3e 100644
--- a/docs/topics/auth/default.txt
+++ b/docs/topics/auth/default.txt
@@ -1238,6 +1238,16 @@ implementation details see :ref:`using-the-views`.
     :class:`~django.contrib.auth.forms.PasswordResetForm` and use the
     ``form_class`` attribute.
 
+    .. note::
+
+        Be aware that sending an email costs extra time, hence you may be
+        vulnerable to an email address enumeration timing attack due to a
+        difference between the duration of a reset request for an existing
+        email address and the duration of a reset request for a nonexistent
+        email address. To reduce the overhead, you can use a 3rd party package
+        that allows to send emails asynchronously, e.g. `django-mailer
+        <https://pypi.org/project/django-mailer/>`_.
+
     Users flagged with an unusable password (see
     :meth:`~django.contrib.auth.models.User.set_unusable_password()` aren't
     allowed to request a password reset to prevent misuse when using an