Login Ideas



  not HTTPS

 Masking passwords

 Injection attacks

  Java script




 Cross site scripting

 Source code


  Useful comments

   Low hanging fruit


  Server holds credentials

   Security Q/A


   Other personal details

  Server holds no credentials

   No legal implications

 Brute force

  Login should not use a JS popup

   Makes it harder for script kiddies to brute force

    Less audience = less traffic

  Detecting brute force attacks

   IP temporary ban

   X attempts for login in a time period

  Password file brute forceable?

   Use other method of storage / encryption


  Policy for handling forgotten passwords

  If someone knows your email, they can script spam your inbox with forgotten password emails



   Implemented correctly?

   Implemented poorly?

    Becomes weak


   Improve encryption method

 Password storage



   Use secure method


  Are users seeing only what they should be allowed to?



  Multiple login methods

   Should use a single login API

   All variables consistent across login approaches



  Prevent copy paste into password confirmation field

   1st typed password may have a mistake in it


  Any constraints clearly visible

  Field max length helps rule out the users forgotten username / passwords

   Majority use a set of U/P's


   Short cuts

   Tab order

   Stay logged in forever


  Clearly stated

   Explain what went wrong

    In non technical way

     Depending upon context

   Explain how to resolve the issue

   Be human


   Usable, quick method of reporting errors

   Clear indication of defect resolutions policy

    Not massive legal style document

    Quick sharp and to the point



 Operating systems

 Mobile OS



Error handling


 Invalid characters

 Unexpected format

  e.g. Email expected, user name entered

 Null inputs

 Spaces between characters

 Blank space only

 Max length

 Authentification mechanism goes offline



  3rd party

Scope for other test ideas

 Registration process

 Forgotten password process

 Non regular logins

 Logout process



  Useful logging


 Code easily debugable


 Isolated harness / test process

 Unit tests

See Also: Quick feedback

  Test team reviewed

 System level automated tests

See Also: Quick feedback

 Ease of product setup for testing new code

  Too hard?


   Automate process


 Backwards compatible

 Modular code

 Ease of upgrade process with changes to login API

 Upgrade policy

  Customized projects

   Made changes to API outwith policy

See Also: Care to support?


   Made changes to API outwith policy

See Also: Care to support?



  Audio alternative


   Trailed with valid users

 Colour scheme

 Alt text for images

 Standard implementation of headers, links, tables, buttons, on form

  All detected by screen reader software

 Descriptive component ID's

 Access keys apparent

 Tabbing through elements available

  Appropriate order

  Appropriate elements only

 Initial focus

  Appropriate initial field?

  Appropriate in context of this screen?

 ARIA Landmarks

  One for login

 Elements can be searched for

  Via browser standard find feature

  Via screen reader software

 State transition awareness

  Post login apparent to user

  Use of audio for page transitions



  Response times


  Time to upgrade


   Can we make it transparent?

  Maintenance tasks


    Can we make these transparent?


 Ability to use 3rd party validation mechanisms

 Ability to use 3rd party login mechanisms

 Ability to extend login mechanism to include for example a pin, along with existing username / password


 Max number of credentials stored by system

See Also: Resource monitoring

 Max number of logged in users

See Also: Resource monitoring

 Max simultaneous logins

See Also: Resource monitoring

 Login, logout scenario soak test

See Also: Resource monitoring


 Interrupt process

  Negative side effects?

  Corrupted data?


  Maintain user states?

  Don't maintain user states?



  Nice help paradigm

  Nice error handling

   Preferably inline






 Ability to handle other character types

  Accented characters






 Stay logged in


 Simultaneous login




Quick feedback

See Also: System level automated tests, Unit tests


Resource monitoring

See Also: Login, logout scenario soak test, Max simultaneous logins , Max number of logged in users, Max number of credentials stored by system

Care to support?

See Also: Made changes to API outwith policy, Made changes to API outwith policy