What are good ways to test a login page?

Question

I get asked this question very frequently in my interviews. They draw username and password text fields and ask me what test cases I can come up with to ensure that this page works fine. My answers on this for some reason never seem to satisfy them. So what tests can we have to ensure that this page is working fine besides the ones mentioned below?

My answers normally include:

• check whether the login works with correct credentials
• check that it doesn't work with wrong credentials
• check text field limits - whether the browser accepts more than the allowed database limits
• check whether password text is hidden

Answer 1

I'm not going to give you specific suggestions here: you've already had a few. Instead I'm going to suggest a general strategy you can use for this type of question. (Next interview might not be a login dialog. It might be a registration form.)

I don't use that particular question in interviews, but what I'm generally looking for when I ask this type of question is that people will be able to come up with a variety of test ideas, and that they don't fixate on a particular type of test too much. Getting onto a bit of a roll and throwing out a lot of variations upon a theme is fine, if you later then switch to another theme and do the same - but if you only seem to be able to come up with test ideas for one sort of test, and you run out pretty fast, I may worry that you're a bit narrowly focused for a tester.

Being able to generate a lot of test ideas and range over a wide area when you're doing that is a key indicator of a good tester for me: I want to work with people who are both creative and analytical - i.e. you can both come up with a lot of ideas, and also explain to me the underlying model for them: security, usability, and so on.

Step back and take a breath when you run out of ideas, and ask them a couple more questions about the context - what kind of system is the login dialog for? What platform is it run on? Is it for a publically available web app, or is this page only reachable within a company? This may trigger more test ideas for you - for instance, you might start thinking about how many times you can retry a login - should user accounts be locked out if they retry too many times? If they are, should the error message give them directions on how to reset their password?

I'd suggest that you try looking up some test heuristics, and practice using them with different scenarios: e.g. test a login dialog, test a registration form, a shopping cart, and so on.

This is a good one to start with - try sitting down and just jotting down a quick list of what comes to mind for all the examples above. Then redo it with a friend, and compare lists: http://www.satisfice.com/articles/sfdpo.shtml

For further reading, I'd suggest this resources page: http://www.developsense.com/resources.html

This sort of practice will help to prompt you when you're under pressure: you can step back and ask yourself "how would I categorise the tests I've suggested so far? Are there any areas I've missed completely? What would be one sort of test for that?".

Answer 2

Functional testing

1) Check if the page is loaded 2) Check if password entered is masked 3) If login is remembered, check if closing the browser and relogging doesnt take to login page 4) If login is not remembered check if cookies helps to remember the session within the period 5) Check if user id and password is authenticated 6) If there is two step authentication check if it works 7) If javascript is disabled check if 'sign on' submit triggers the process 8) Check if sign-on page is reloaded after 'signing out' 9) Check if error-message is displayed when entered with incorrect input ie invalid user id or pwd 10) Check if error-message is displayed when password or user id is not entered 11) Check if after login, it doesn't take back to the login page when the website is opened in a new tab 12) Check if password restrictions are applied when entering password ie integer 0-9, characters and special characters etc,. 13) signon attempts limit

Usability testing

1) Availability of user id and password tab 2) Check if user id and password form field is long enough 3) If there is captcha, check if characters are visible and readable 4) If there is 'remember me' option, check if its a tick box 5) Check if 'sign on' button is available and clickable 6) Check if 'sign out' button is available and clickable 7) Check if the messages displayed ie 'Invalid user-id and password' are visible, clear and is not truncated

Compatability:

1) Check if everything works in different browsers

Integration:

1) If cookie or history is cleaned, the sign-on page should be re-loaded 2) If browser is closed after sign-on check if the sign-on is not re-loaded on opening again 3) Check if sign-on page works in browser incognito mode. 4) Check if browser stores passwords in cookie during a session 5) Check if browser stores passwords in local desk when 'remember me' option is checked

Performance:

1) sign-on to the application with multiple user accounts at the same time and capture latency of authentication

Appearance:

1) Check if images and favicon is loaded when the page is requested 2) Check if window is re-sized when browser size is changed

Answer 3

Check that the underlying queries are sql injection safe. You don't want hackers to drop your tables using injection.

http://sqlzoo.net/hack/ . This page describes one way in which sql injection can be used in login form.

Answer 4

• Check for invalid characters and correct escaping. What will happen if you try to login as Mugen'; drop database; -- (Don't test on a production server).

if for a website:

• Check if the password is sent hashed or encrypted
• and not (also) in plain text.
• Check if it works without Javascript