ObjectIds Are Predictable

• Do not treat ObjectIds as secure.
• For example, don't use them as password-reset tokens.
• Treat ObjectIds as you would an auto-incrementing integer.
• This is not a design flaw of ObjectId.