Santhosh Tuppad gives away some test ideas for login/authentication and login session. This list is old but may trigger new ideas.

1. Test Ideas for login screen & Login Session
Disclaimer: All the test ideas in this document have been solely created by me however; an individual
can use it for his testing activity. You can re-distribute this document without making any changes. If
you would like to contribute to this document & add more ideas then you can e-mail me at
Santhosh.Tuppad@gmail.com
Consider the following image which is a login screen of WordPress product,
1. Check what is the maximum size set for the input
2. Check what kind of characters does it allow
3. Check if the database is vulnerable to SQL Injection
4. Check if there is any way that you can know the credentials from the code
5. Check if the URL shows the entries of the inputs in encrypted or normal way
6. Check what happens when you give different combinations of inputs
Example combinations can be –
a. Wrong username – wrong password
b. Wrong username – correct password
c. Correct username – wrong password
d. Correct username – correct password
e. Special characters in both the fields
f. Username with special characters – Password with alphanumeric
g. Much more combinations that your mind can think of
7. Check if you can crash the database by entering more characters than maximum size from
any of the browser that doesn’t support “size” variable to be processed
8. Check if the validation is done on client as well as server side
9. Check if there is any cookie that is going to be stored during login
10. Check if there is any session time out for idling for certain period of time
11. Check if HTML code or Javascript code can be inserted through the text fields
12. Check if username can be copy pasted – Why do I need to check copy paste for username?
(Password copy paste check is fine but why username?) Most of the people use usernames
which are hard to remember (Note that usernames can be even complex as password so
most of the people copy it and paste it in the username field to save time)
13. Check if password is showing asterisk or anything but not the password
14. Check if “Remember Me” feature is functioning properly – Check in the browsers which are
widely used)

2. 15. Check how is the password getting stored and where is it getting stored and any user have
access to that area to steal the password in absence of the real owner of that account
16. Check if there are minimum characters that has to be entered to process the login – if
“YES” how many?
Do some scenario testing,
17. A & B are two users who use cyber computer. A comes to cyber and logs in to his/her
account and suddenly the power goes off & there is no UPS. Now A has not logged out & A
waits for some time for the power to come and after a long wait A leaves the cyber. Now
when the power comes user B logs into the same computer that A used and in IE or Mozilla
Firefox he/she types the URL of the account that A used.
From the above scenario,
a. Check if “A” has been logged out as there was no activity for certain period of time.
b. Check if even after “A” went to another cyber where there was power and then logged out
& still B is able to access the privileges of user A?
18. A & B are two users who are using cyber computer, A is currently logged in. A gets a call on
his/her phone & goes out for some time to talk his/her friend. Now B has access to A’s
machine and he/she tries to change the password of A.
a. From the above scenario, you need to check if the product has security enabled like, it asks
for Current Password and then new password.
b. If it doesn’t ask for current password and allows B to change the password by just entering
new password then it is a potential problem.