Login Ideas

Security

 HTTP

  not HTTPS

 Masking passwords

 Injection attacks

  Java script

  SQL

  ...

 Redirection

 Cross site scripting

 Source code

  Exploits

  Useful comments

   Low hanging fruit

 Ownership

  Server holds credentials

   Security Q/A

   Password

   Other personal details

  Server holds no credentials

   No legal implications

 Brute force

  Login should not use a JS popup

   Makes it harder for script kiddies to brute force

    Less audience = less traffic

  Detecting brute force attacks

   IP temporary ban

   X attempts for login in a time period

  Password file brute forceable?

   Use other method of storage / encryption

 Spam

  Policy for handling forgotten passwords

  If someone knows your email, they can script spam your inbox with forgotten password emails

 Encryption

  Strong

   Implemented correctly?

   Implemented poorly?

    Becomes weak

  Weak

   Improve encryption method

 Password storage

  Secure?

  Unsecure?

   Use secure method

 Privileges

  Are users seeing only what they should be allowed to?

Usability

 Consistency

  Multiple login methods

   Should use a single login API

   All variables consistent across login approaches

  Layout

  Terminology

  Prevent copy paste into password confirmation field

   1st typed password may have a mistake in it

 Learnability

  Any constraints clearly visible

  Field max length helps rule out the users forgotten username / passwords

   Majority use a set of U/P's

  Affordance

   Short cuts

   Tab order

   Stay logged in forever

 Errors

  Clearly stated

   Explain what went wrong

    In non technical way

     Depending upon context

   Explain how to resolve the issue

   Be human

  Reporting

   Usable, quick method of reporting errors

   Clear indication of defect resolutions policy

    Not massive legal style document

    Quick sharp and to the point

Compatibility

 Browsers

 Operating systems

 Mobile OS

  Browsers

 Databases

Error handling

Appropriate

 Invalid characters

 Unexpected format

  e.g. Email expected, user name entered

 Null inputs

 Spaces between characters

 Blank space only

 Max length

 Authentification mechanism goes offline

  Database

  Backend

  3rd party

Scope for other test ideas

 Registration process

 Forgotten password process

 Non regular logins

 Logout process

Debug

 Logging

  Useful logging

  Traceable

 Code easily debugable

Testability

 Isolated harness / test process

 Unit tests

See Also: Quick feedback

  Test team reviewed

 System level automated tests

See Also: Quick feedback

 Ease of product setup for testing new code

  Too hard?

   Improve

   Automate process

Upgrade

 Backwards compatible

 Modular code

 Ease of upgrade process with changes to login API

 Upgrade policy

  Customized projects

   Made changes to API outwith policy

See Also: Care to support?

  Re-Sellers

   Made changes to API outwith policy

See Also: Care to support?

Accessibility

 Captcha

  Audio alternative

   Useful?

   Trailed with valid users

 Colour scheme

 Alt text for images

 Standard implementation of headers, links, tables, buttons, on form

  All detected by screen reader software

 Descriptive component ID's

 Access keys apparent

 Tabbing through elements available

  Appropriate order

  Appropriate elements only

 Initial focus

  Appropriate initial field?

  Appropriate in context of this screen?

 ARIA Landmarks

  One for login

 Elements can be searched for

  Via browser standard find feature

  Via screen reader software

 State transition awareness

  Post login apparent to user

  Use of audio for page transitions

Perceptions

 Speed

  Response times

 Downtime

  Time to upgrade

   Improvable?

   Can we make it transparent?

  Maintenance tasks

   Needed?

    Can we make these transparent?

Extensibility

 Ability to use 3rd party validation mechanisms

 Ability to use 3rd party login mechanisms

 Ability to extend login mechanism to include for example a pin, along with existing username / password

Performance

 Max number of credentials stored by system

See Also: Resource monitoring

 Max number of logged in users

See Also: Resource monitoring

 Max simultaneous logins

See Also: Resource monitoring

 Login, logout scenario soak test

See Also: Resource monitoring

Recoverability

 Interrupt process

  Negative side effects?

  Corrupted data?

 Expectations

  Maintain user states?

  Don't maintain user states?

Visuals

 Appealing

  Nice help paradigm

  Nice error handling

   Preferably inline

   Intuitive

  Modern

 Consistent

 Fluid

Localisation

 Ability to handle other character types

  Accented characters

  Asian

  Other?

Smoke

 Login

 Logout

 Stay logged in

Capability

 Simultaneous login

  Machines

  Domains

  Browsers

Quick feedback

See Also: System level automated tests, Unit tests

 Useful?

Resource monitoring

See Also: Login, logout scenario soak test, Max simultaneous logins , Max number of logged in users, Max number of credentials stored by system

Care to support?

See Also: Made changes to API outwith policy, Made changes to API outwith policy