On my previous project a colleague of mine was testing a log in page. Related to that I gathered test ideas. There were few main sources of information that helped in coming up with list of ideas. These were:
- Ministry of Testing – Crowdsource Test Ideas for A Log In Screen: http://www.ministryoftesting.com/wp-content/uploads/2009/12/crowdsource-testideas-loginscreen.pdf
- Darren Mcmillan’s mind map (Test ideas for a log in process): http://www.bettertesting.co.uk/content/?p=1372
Based on those sources and few others, I picked up and invented ideas that were relevant with our context. I thought that these might be useful to someone and will share it therefore here. It’s far from exhaustive list, but hopefully valuable for someone.
Feel free to share your own test ideas.
1. Valid username + valid password
2. Valid username + invalid password
3. Valid username + empty password
4. Empty username + valid password
5. Empty username + invalid password
6. Empty username + empty password
7. Invalid username + valid password
8. Invalid username + invalid password
9. Invalid username + empty password
10. Case sensitivity in password
11. Case sensitivity in username
12. Tabulator usage — can you move logically from field to another?
13. Using Enter when logging in (Type username & password and press “Enter” — Will it lead to logging in?)
14. Special characters on password ( e.g. [åäö#$_’] ) — Can you log in?
15. Using copy-paste on username & password fields
16. Masking of password — password shouldn’t be visible –> characters should be shown as asterisks
17. Invalid password / username doesn’t reveal too much information. It should be informed that username OR password is invalid, so possible malicious user can’t figure which one is specifically invalid.
18. Log in, log out, using browsers [Back] button –> Shouldn’t lead to logging in again
19. Logging in when user has been erased from Identity Management solution
20. Logging in when user’s access has been blocked from Identity Management solution.
21. Logging in when user doesn’t have enough privileges in Identity Management solution
22. Logging in when password has been changed
23. Username field is chosen as default when you arrive to log in page
24. Log in, copy the URL, log out & then paste the URL to address field and see what happens when you try to go to that pasted URL
25. Session is secured (HTTPS) after log in
26. SQL Injection – e.g. try for username what is inside square brackets: [‘ OR ‘1’ = ‘1]
27. Logging in when you have forgotten your password
28. Logging in when you have forgotten your username
29. Logging in with maximum length username/password
30. Logging in with minimum length username/password
31. Are all the characters of password (or username) case sensitive? (i.e. only 8 first characters are case sensitive)
32. Is password saved to system logs, when it’s created, modified or logged in?
33. Is the account locked if you enter invalid password too many times? Does this amount align with your expectations? Are you able to unlock the account?
34. Logging in with specific user will lead to seeing that specific user’s information