What follows is my thoughts on testing a login process. This originally started out as a comment on a post Santhosh Tuppad made around his ideas for testing a login process, but I quickly realised my list was becoming a little bit on the large side. Thanks for the challenge Santhosh
So here is my thoughts in the form of a mind map (you can click on it to see it in a larger size). I’ve also uploaded an accessible list which can be accessed here.
I hope you’ll find some stuff which I haven’t considered, and find some that you wouldn’t have considered either
Related posts:
Not as comprehensive as yours, but we did a crowdsourced test ideas for a login screen a while back on The Software Testing Club – details here – http://blog.softwaretestingclub.com/2009/12/test-ideas-for-a-login-screen/
Hi Rosie,
Thanks for the link, there is a couple that I missed in there
Cookies is something I’ve tested the security of logins with in the past, oops, shame on me
Back and forwards buttons, that’s interesting, I hadn’t thought of that one.
What I liked most in the PDF was the context gathering questions, excellent stuff!
Thanks for sharing,
Darren.
Darren, Fantastic. I will share the PDF document soon which has login test ideas based on WordPress login page. I would write the test ideas for SSL (HTTPS) very soon.
Thanks for the contribution to login test ideas.
– Santhosh Tuppad
Hi Santhosh,
Thanks, glad you liked it. Looking forward to these SSL test ideas, this is something I’ve no experience testing.
If you want to try some collaborative mind mapping some time on other ideas, then let me know, we’ll no doubt learn lots from each other.
Thanks,
Darren.
Nice mindmap but how much of it will you implement/execute?
Hi Lim,
That would be a context sensitive question. So for any point in time my response might be different. Currently though the product that I’m testing, doesn’t include a login at this moment in time. When it does, it’ll be application based, so a lot of the web related ideas I’ve added here wouldn’t be executed, and the extent of my testing would ultimately come down to current context, risk, time and gut feeling.
Thanks for taking the time out to comment,
Darren.
May I suggest you to take a look at this presentation http://www.whatistesting.com/qpatterns/q-patterns.pdf which has login related questions (as opposed to test cases). The list is not complete as the idea was to just demonstrate the concept of Q-Patterns.
Vipul
Hi Vipul,
You tweeted me about this shortly after I posted this. I had a look back then, and really enjoyed what I read. Excellent stuff!
I’d say Q-Patterns, is a technique with many names. Fantastic for generating ideas, but idea generation should not be limited to any one technique. I use many, but ultimately start with just my mind and a map, using techniques to flesh out things I might not have considered.
Thanks,
Darren.
What you say is of course true and the pragmatic approach. Maybe for a follow on article you could investigate what tools you can find to help you do some of the testing quicker/better e.g. some of the security and error handling testing can be built into a framework. there’s some work being done to even automate some of the usability stuff.
Hi Lim,
Certainly interesting, though it’s not something I plan on blogging about. It would certainly make an interesting series of blog posts for anyone else with the time spare. I’d say quite a lot of these test ideas can be broken down further.
The usability stuff sounds very interesting, I’d be keen on finding out more about this. What exactly are they automating?
Look forward to hearing more,
Darren.
I’ve heard automated usability mention a couple of times. Most recently was the London Selenium meetup by some one from Ebay. They did some basic things like checking if you could tab around a page and end up where you started. Another thing they did was also measure how many tabs it took to go a full circle. I think that was to get an indication of how busy a page was.
I too am interested in this area. But just doing a quick search on Google seems to show that most of what is done is just monitoring user behaviour and improving on particular journeys.
Hi Lim,
Thanks for the extra info. It sounds like they’ve looked into what basic checks are available. I guess tab order could come under that, though this is something I usually associate with accessibility, again this being something many consider a subset of usability. I think it’s fine considering this a subset as long as you don’t treat it as a quick task, as it’s a massive thing in itself, hence why I like to think of them as separate things.
Anyway using the tab order as a means of determining the number of clicks is interesting. I’m assuming he’d flag X amount of clicks as a warning to be looked at. In theory that’s not a bad idea as you’d be able to at least reconsider design decisions made, but it doesn’t make me entirely comfortably. What if this begins to affect designs in such a way that whilst they’re all forced to become minimalist, they begin to lose the key things that made them appealing, and usable. In fact you might even see once visible features, replaced by poor affordance options. Very interesting, if you know, or can find out his name, let me know, I’d love to query him on this.
Thanks,
Darren.
Hi Darren,
Thanks for your views and comments. In fact when I had tweeted to you, I pointed out to a different presentation which had an example of list rather than login (if I remember corerctly). Yesterday I went through your mindmap and I liked it immensely. I was also reminded of the login Q-Pattern I wrote in 2000 and hence I dug up the one that explicitly talks about Login.
Q-Patterns are more for organizing the questions/test idea but they are a bit more structured than mindmaps and the structure lends itself to feature definition and not just as test idea catalog. Test ideas will typically be generated from test design techniques, patterns, heuristics, requirements and whatever can be used. Q-Patterns also allow inheritance and specialization. So what you mention in another of your comments (to Lim) about executing some and not executing others based on context – is taken care. Generic login and specialized web-based login (Generalization – specialization in OO terminology)
In fact there is another technique that I have developed called extension to noun-and-verb technique which is very simple but IMO powerful to get test ideas quickly. This technique can be used to derive test ideas which can then be arranged in a mindmap or as a q-pattern or just used as a guide in an exploratory session. If you find time please do take a look at http://www.siliconindia.com/events/siliconindia_events/Softec%20delhi%20ppts/Noun%20and%20Verb%20Techniquev1.4small.ppt
There is more to the technique than what is there in the PPT but the ppt captures the basic idea. By the way the noun-and-verb technique comes from Elisabeth Hendrickson who might have got the inspiration from OO method of deriving classes and methods using noun-and-verb technique of Abbott and I might have got inspiration from properties-of-nouns-and-verbs method of Coad and Yourdon.
regards,
Vipul
Hi Vipul,
You tweeted me to google Q-Patterns, which I did and lead me to http://curioustester.blogspot.com/2010/04/questioning-patterns-by-vipul-kocher.html
I’ve got to say I find the slides much more informative, good job on those.
I didn’t realise it was you who had wrote the extension “Creating Real-World Test Cases using Extension to Noun and Verb technique” slides. Those are first class, I’ve actually looked at them a few times in the past. Really great job there.
Thanks,
Darren.
Seems comprehensive. The only thing that came to mind is testing compliance to password rules : length, alpha, caps, numeric etc.
james
Hi James,
I hadn’t thought so much about the direct workings of password rules as such, so well spotted, but I had considered traditional black box test techniques to rule out any issues with compliance, error handling, and validation. You can find these all listed under the error handling section.
There could be extension here though for non traditional error handling / rules. I just can’t think of any at the moment, if list them, and I’ll stick them in with credits.
Thanks,
Darren.
Excellent mindmap Darren.
Can we keep extending it? How about adding scenarios for connectivity?
- Local login (if the authentication is saved in the local DB)
—-Login when connectivity is down
—-Login when Remote Authentication is configured
—-Login when Remote Authentication is not configured
- Authenticating to an Active Directory on a Remote PC?
—-AD turned ON
—-AD turned OFF
—-Config file marked not to use AD
—-Lossy Connectivity
Hi Sharath,
Sure of course we can extend it, I’ll do that pretty soon, and label extensions to it with credits.
Nice ideas.
Cheers,
Darren.
Dear Darren,
That’s a great mind map for this topic,
Can you elaborate with which tool have you created it?
As Sharath raised – can we keep extending it?, are there mind mapping tools which can be shared for community contribution?
Any means to export this into other formats, so we could import it into our ALM tools?
halperinko – Kobi Halperin
Hi Kobi,
Thanks, this map was created using Xmind. It’s a free download, go check it out.
For community contributions you could use something like MindMeister, though I’m happy to add additional ideas posted as comments onto it with credits to the authors.
If you like I can add a link to the original mind map for download if that helps? Then you can use XMinds various export capabilities.
Thanks,
Darren.
Hi Darren,
I never knew that you existed.
Now, I will never FORGET that you exist.
You exist for a cause of testers and that’s awesome.
Your posts are awesome though I am yet to read them in detail.
Thanks for those good information. Lots to learn. Keep them coming our way.
Thanks,
Rrajesh Barde
Hi Rrajesh,
Thanks for the kind comment. I am very happy that you had found it helpful.
It’s good to see that you’re bogging yourself as well!
Thanks,
Darren.
Hi Darren,
This is a great mind map, one of the most detailed I have seen so far.
I have a suggestion for it.
Some sites send the user an email after the registration with a link for confirming the new account and email address.
The login should not work until the user confirms the new account.
Another scenario applies to sites that have native and FB connect login.
It should not be possible to login (native login) using an email address (or username) used for FB connect.
Thanks.
Alex
Hi Alex,
Thanks for the comment and sorry for the late reply.
I agree with both additions, thanks for sharing them.
Thanks,
Darren.
Wonderful idea of trying to collect as much as possible scenarios for Login screen testing. It would be great to have smth. like that for different situations, like IP,DB,TLD, data field,etc.
Would like to add some more accidents detected on login screen testing:
1) Logging: password is not encrypted in the log
2) login screen is not re-sizable ( may be a part of browser usability) – if you change app window size – no scrolling is available – and the Login fields are not available for user.
3) not exactly for Login screen, but for any app – changing of screen resolution caused application crash.
Hi Victor,
Thanks for the comment, I have a draft post around site search ideas, I’ll try and get it finished some time soon, I’m just really short on spare time to write up blog posts.
Good ideas, I’d debate for 1 though that a password should never reach any sort of logging in the first place.
Three I’ve never witnessed before – must have been some crazy code to get it to do that.
Thanks a lot for sharing your ideas.
Darren.
This is useful information!