In this article, we discuss test cases for passwords. There are many ways to test the passwords for application. Depending on the type of application you have and the amount of security you wish to add the test cases will be different. So instead of writing the test cases just by assuming the password field on form. Let’s try and think of different scenarios under which the passwords can be tested.
People reset their password when they don’t remember it. That’s the most obvious scenario you can think of while writing the test cases. People also need to reset the password when the app has some security issues. In such case the type of test cases you write would be different. However, password reset scenario needs to be part of any app that has intention of collecting the user data.
- Does the app offers guidelines to reset the password?
- Does the app offers two step authentication while resetting the password?
- Does the reset password link has expiration time period or session limit?
- Does the reset password form has password strength checker?
- Does the reset password form rejects insecure password?
- Does the reset password form offers password generator option?
- Does the reset password form has any guidelines for the pattern of the input?
Almost every secure web app needs to have encryption system. You should discuss the following scenarios while setting the requirement for the password field.
- Does the system allow users to do md5 hashing?
- Does the system does any form of encryption?
- Does the system stores the password in plain text?
- Does the system masks the password while typing?
- Does the password storage in database is encrypted itself?
- Does the encrypted easy to decrypt using known tools?
There are many other encryption features you can think of and the more complex field the harder encryption you need for the app.
There are tools like Keepass and LastPass that offers to save the password on desktop or browser. And then such tools can be used to automate browser login. Tools like these require single master password and using that single password you can automte the login across multiple websites. So testing such password fields using automation tools is going to be different.
- Does the app allows usage of password management tool?
- Does the password management works properly with the app?
- Does the password manager secure enough to store the password?
Each webapp should have some sort of guidelines on choice of password user should have for better security. So make sure you consider following test scenarios.
- Does the app allow you to see the password length?
- Does the app have some guidelines for password strength?
- Does the app tells you which characters are allowed?
- Does the app restricts you from checking the characters that are not allowed?
- Does the app keeps the password field in asterisk?
- Is there any form of guideline for forgot password link?
Also app should notify you if there any form of strength indication if there is caps lock if it exists there. So this makes testing the password field a lot better. You can also check some of the other secure password fields of popular cloud apps. This gives you an idea of how to test the password field better for your own use.
The above explained test scenarios and test cases should be more than enough to start your test document. You can even add more test content, test data and scenarios in the document. Feel free to let me know if you have any other suggestions for the discussion. I’d appreciate your comments and please feel to share this with your friends. 🙂