id summary reporter owner description type status component version severity resolution keywords cc stage has_patch needs_docs needs_tests needs_better_patch easy ui_ux 26161 django.contrib.auth password reset email reveals the user id Ran Benita nobody "This was already asked in an (unanswered) django-users question, and the description there still holds, so I'll not repeat it: https://groups.google.com/forum/#!searchin/django-users/user$20id$20password$20reset/django-users/6c8_Vfr8K1w/-TXJoVBM3poJ I think most sites would prefer not to reveal how many users are registered or the growth rate of that value, and this is the only place that I know of where the user ID is exposed. I suspect there is no way to fix the existing view/form in a backward-compatible way, because of custom templates and 3rd party packages which use this, like ""djoser"", but thought I'd raise the issue anyway." Bug closed contrib.auth 1.9 Normal invalid Unreviewed 0 0 0 0 0 0