HM Revenue & Customs is facing fresh criticism after users complained that its tax self-assessment website reveals their password in the URL address bar.


Users claimed that while filling in their online tax forms, their personal details would be at risk because the username field has an auto-complete function. One user claimed that when he clicked on a link to open the ‘about you' page, his password was displayed in the browser address bar, and when a page was printed off the password was printed as part of the URL.

Richard Clayton, a security expert at Cambridge University, said: “Seeing someone's tax return is not the same as accessing their identity, however. Though it could be a step towards doing that.”


HMRC claimed that the URL does not contain the customer's password, but shows a unique taxpayer record (UTR) number. In a statement it said: “To log in to our secure services a user ID and password is required; the UTR is not based on either of these.”