Login Ideas

Security

HTTP

not HTTPS

Masking passwords

Injection attacks

Java script

SQL

...

Redirection

Cross site scripting

Source code

Exploits

Useful comments

Low hanging fruit

Ownership

Server holds credentials

Security Q/A

Password

Other personal details

Server holds no credentials

No legal implications

Brute force

Login should not use a JS popup

Makes it harder for script kiddies to brute force

Less audience = less traffic

Detecting brute force attacks

IP temporary ban

X attempts for login in a time period

Password file brute forceable?

Use other method of storage / encryption

Spam

Policy for handling forgotten passwords

If someone knows your email, they can script spam your inbox with forgotten password emails

Encryption

Strong

Implemented correctly?

Implemented poorly?

Becomes weak

Weak

Improve encryption method

Password storage

Secure?

Unsecure?

Use secure method

Privileges

Are users seeing only what they should be allowed to?

Usability

Consistency

Multiple login methods

Should use a single login API

All variables consistent across login approaches

Layout

Terminology

Prevent copy paste into password confirmation field

1st typed password may have a mistake in it

Learnability

Any constraints clearly visible

Field max length helps rule out the users forgotten username / passwords

Majority use a set of U/P's

Affordance

Short cuts

Tab order

Stay logged in forever

Errors

Clearly stated

Explain what went wrong

In non technical way

Depending upon context

Explain how to resolve the issue

Be human

Reporting

Usable, quick method of reporting errors

Clear indication of defect resolutions policy

Not massive legal style document

Quick sharp and to the point

Compatibility

Browsers

Operating systems

Mobile OS

Browsers

Databases

Error handling

Appropriate

Invalid characters

Unexpected format

e.g. Email expected, user name entered

Null inputs

Spaces between characters

Blank space only

Max length

Authentification mechanism goes offline

Database

Backend

3rd party

Scope for other test ideas

Registration process

Forgotten password process

Non regular logins

Logout process

Debug

Logging

Useful logging

Traceable

Code easily debugable

Testability

Isolated harness / test process

Unit tests

See Also: Quick feedback

Test team reviewed

System level automated tests

See Also: Quick feedback

Ease of product setup for testing new code

Too hard?

Improve

Automate process

Upgrade

Backwards compatible

Modular code

Ease of upgrade process with changes to login API

Upgrade policy

Customized projects

Made changes to API outwith policy

See Also: Care to support?

Re-Sellers

Made changes to API outwith policy

See Also: Care to support?

Accessibility

Captcha

Audio alternative

Useful?

Trailed with valid users

Colour scheme

Alt text for images

Standard implementation of headers, links, tables, buttons, on form

All detected by screen reader software

Descriptive component ID's

Access keys apparent

Tabbing through elements available

Appropriate order

Appropriate elements only

Initial focus

Appropriate initial field?

Appropriate in context of this screen?

ARIA Landmarks

One for login

Elements can be searched for

Via browser standard find feature

Via screen reader software

State transition awareness

Post login apparent to user

Use of audio for page transitions

Perceptions

Speed

Response times

Downtime

Time to upgrade

Improvable?

Can we make it transparent?

Maintenance tasks

Needed?

Can we make these transparent?

Extensibility

Ability to use 3rd party validation mechanisms

Ability to use 3rd party login mechanisms

Ability to extend login mechanism to include for example a pin, along with existing username / password

Performance

Max number of credentials stored by system

See Also: Resource monitoring

Max number of logged in users

See Also: Resource monitoring

Max simultaneous logins

See Also: Resource monitoring

Login, logout scenario soak test

See Also: Resource monitoring

Recoverability

Interrupt process

Negative side effects?

Corrupted data?

Expectations

Maintain user states?

Don't maintain user states?

Visuals

Appealing

Nice help paradigm

Nice error handling

Preferably inline

Intuitive

Modern

Consistent

Fluid

Localisation

Ability to handle other character types

Accented characters

Asian

Other?

Smoke

Login

Logout

Stay logged in

Capability

Simultaneous login

Machines

Domains

Browsers

Quick feedback

See Also: System level automated tests, Unit tests

Useful?

Resource monitoring

See Also: Login, logout scenario soak test, Max simultaneous logins , Max number of logged in users, Max number of credentials stored by system

Care to support?

See Also: Made changes to API outwith policy, Made changes to API outwith policy