To Test a login page, focus on detailed negative testing that try to break the login page. Ensure positive test cases that check the UI elements. Don’t forget to test IT security policies such as for passwords as well as performance.
We use login pages all the time.
Whether it be your favourite social network, email or to buy groceries, we can’t get away from customised user accounts.
As part of your software testing project, you’ll find that the process for login pages is very similar for most applications.
In this article I will break down these test cases for you.
If you are looking for how to test a registration page, then there is an entire page dedicated to this.
If you want to learn how to write test cases then you should read the article first.
Table of Contents
User Interface Tests
Test Case ID | Test Case Description | Precondition | Expected Result | Post Condition |
UI0001 | Verify the login screen has rendered correctly with all items appearing “as expected” on the User Interface (UI) | The screen has rendered correctly. [X] items as per the user spec have rendered are being displayed. | ||
UI0002 | Verify logo is displayed as per the design specification | Logo is displayed. Note: Ensure the right colours, sizes, format etc are being used. | ||
UI0003 | Verify username box is displayed with default text “”Your name”” | The default text is displayed ‘as expected’. | ||
UI0004 | Verify password box is displayed with default text “”Your password””. | The default text is displayed ‘as expected’. | ||
UI0005 | Verify “Sign In” button is present. | The button is displayed ‘as expected’. | ||
UI0006 | Verify “Register” button is present. | The button is displayed ‘as expected’. | ||
UI0007 | Verify the “Forgot Password?” link is present | The link is present in the expected location on the page as per the UI spec. |
Notes:
Depending on the type of organisation, you may be asked to provide additional security credentials.
For example, in the banking industry, two factor authentication (2FA) is usually required.
In order to test 2FA you’ll need a soft or a hard token.
Don’t forget to add this in your test plan.
I remember working on a UK government project where I was actually testing the SAML tokens to ensure they were being authenticated properly. That was using a tool called SoapUI.
Anyway
Functional Testing
Consider both positive and negative testing in your scenarios.
Below are test case descriptions with expected results. You may need to add individual test steps to ensure you have full visibility and coverage when testing.
Test Case ID | Test Case Description | Pre Condition | Expected Result | Post Condition |
FT001 | Verify user is able to enter their valid username. | Valid User ID is accepted by the system. | ||
FT002 | Verify the user is able to enter their correct password: | Valid password is accepted. | ||
FT003 | Verify the “Submit” button can be selected. | “Submit” button is clickable | ||
FT004 | Verify the login page accepts the user’s credentials Note: You might want to add the test cases above in a Test Scenario so you can cover all the tests in a logical order. | Login page accepts credentials. User is directed to the post login page. | ||
FT005 | Verify user can login successfully once valid credentials have been entered | Successful login message should display with thank you text (i.e “You’ve successfully logged in” or take you to the relevant page after a successful login.) | ||
FT006 | Verify registration section is not displayed when user enters valid credentials for existing account. | User is directed to the post login page if the login is successful. There is NO option to register a new user from this page. | ||
FT007 | Verify incorrect username fails login. | Login Error Message is displayed. Note: The system should NOT display that the username was not found. This is a security risk and the system should not give any clues as to where the error is. | ||
FT008 | Verify invalid password is not accepted. | Login is rejected. Error message is displayed User is NOT logged in. | ||
FT009 | Verify invalid username and invalid password entered simultaneously fail. | A meaningful error message such as “Invalid Login Error” should be displayed. | ||
FT010 | Verify Login page does not accept user’s input/communication with the server has failed. | User cannot continue testing unless resolved / tab refreshed / browser restarted etc. Browser tab freezes or “white screen of death” appears. | ||
FT011 | Verify User name field is too short to contain validated input data. | User cannot continue testing unless resolved / tab refreshed / browser restarted etc. | ||
FT013 | Verify Password field is too short to contain validated input data. Note: ensure you check your organisation’s password security policy before creating this test case. | Password has minimum length requirements of 5 characters with upper/lower case letters, numbers and symbols allowed – e.g “!123qwe” OR “A1b2C3d4e5”. | ||
FT014 | Verify password meets the minimum pass phrase length criteria. Note: ensure you check your organisation’s password security policy before creating this test case. | Pass phrase minimum 6 words (no set words/patterns) – minimum 8 characters in length (must contain at least one of the following: upper case letter, case letter, number or symbol) | ||
FT015 | Verify Password field is too long to contain validated input data. Note: ensure you check your organisation’s password security policy before creating this test case. | Password has maximum length requirements of 16 characters with upper/lower case letters, numbers and symbols allowed – e.g “!123qwe&@#ABCDEFG”. | ||
FT016 | Verify Caps Lock key is enabled during password entry. | Incorrect Password error should display. | ||
Verify Num Lock key is enabled during password entry. | Incorrect Password error should display. | |||
Verify system does not accept passwords which are too similar. Note: ensure you check your organisation’s password security policy before creating this test case. I have worked in organisations where the last 6 months worth of passwords were not accepted. | Invalid Credentials error should display. , e.g “password” & “Password” |
Non Functional Testing
Performance Testing
Test Case ID | Test Case Description | Pre Condition | Expected Result | Post Condition |
PERF0001 | Verify Service unavailable | The login page cannot communicate with a server / service which prevents correct validation of user credentials and subsequent successful login for this user. User cannot continue testing unless resolved / tab refreshed etc. Note: It might be difficult to replicate this. |
You might be interested in a non functional requirements checklist for your project.
Considerations
Device Type
Your test scenario should consider the device you are using.
This is because the way that the UI is rendered will be different. For example, desktop, mobile and tablet will all display the output differently.
As a result, you may need to also think about accessibility testing (out of scope for this article).
Biometric Login
This article only focusses on the traditional way of entering your username and password to log in.
However, biometrics is a much safer and secure way to login.
As a result, if your application uses fingerprint ID or Face ID, then you should also look to add these types of tests to your test plan.
Login ID
I’ve found that if I’m a customer for an eCommerce store, then a valid email address is also used as a username.
However, working for an organisation as an employee or as a banking customer, the username will be more customised.
Penetration Testing
Whether you do or don’t do the Pen testing, you’ll need to get it done anyway.
Your organisation will need to ensure that the login page is fully secure and not open to any kind of SQL injection attacks or any type of security holes.
Single Sign-On Testing
If your organisation uses a single sign-on then the above steps might not even be required.
Services such as OKTA allow organisations to connect their internal users with external systems using the same credentials.
This does depend on whether or not the external systems are compatible with OKTA.
With regards to verification of the service and its connectivity, this will form part of your functional and security testing activities.
You should work very closely with your IT Security teams when conducting single sign-on testing to ensure that any integration testing has been carried out correctly.
Add it to your Regression Testing Suite
Once, individual test cases have been approved, they can then form part of a future regression test suite.
It’s entirely up to you if you want to run them as manual or automated tests.
Summary
I hope this article really gives you an insight into how to write test cases for a login page.
With technology changing all the time, you’ll need to stay on top of your game and think about how to also test these new technologies as they integrate into your existing infrastructure.
The login page itself should be quite straightforward to test since there are very few elements on the page.
However, that does not mean that testing cannot be detailed.
Since this test relates to IT security, a LOT of time needs to be tested around the security elements.