Reply to post:

Brit voucher biz's signup page blabbed families' details via URL tweak

Infernoz Bronze badge

1. The number should be a strong cryptographic digest of the request id and salt, so that changing a few number won't work and failed attempts are logged with their client IP address.

2. A password reset page should never show any more than the user name/id.

3. The business may be in breach of the data protection act for showing other users personal details!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon