Test a user login page manually

 The process for testing a log-in page:

How to test a login page or user login page ???

Positive:
1) Give Username in alphanumeric characters

2) Give Username is Length of 5 alphanumeric characters

3) Give Username is Length of 10 alphanumeric characters

Negative:
4) Make Username field empty 

5) Entering Username in characters

6) Entering Username in Numeric

7) Entering Username in special characters

8) Make Username is Length of less than 5 alphanumeric characters

9) Make Username is Length of less greater than 10++ alphanumeric character.

Functional testing

1) Check if the page is loaded 

2) Check if password entered is masked 

3) If login is remembered, check if closing the browser and relogging doesnt take to login page 

4) If login is not remembered check if cookies helps to remember the session within the period 

5) Check if user id and password is authenticated 

6) If there is two step authentication check if it works 

7) If javascript is disabled check if 'sign on' submit triggers the process 

8) Check if sign-on page is reloaded after 'signing out'

9) Check if error-message is displayed when entered with incorrect input ie invalid user id or password  

10) Check if error-message is displayed when password or user id is not entered 

11) Check if after login, it doesn't take back to the login page when the website is opened in a new tab 

12) Check if password restrictions are applied when entering password ie integer 0-9, characters and special characters etc.

13) signon attempts limit

Usability testing

1) Availability of user id and password tab

 2) Check if user id and password form field is long enough 

3) If there is captcha, check if characters are visible and readable 

4) If there is 'remember me' option, check if its a tick box 

5) Check if 'sign on' button is available and clickable

6) Check if 'sign out' button is available and clickable 

7) Check if the messages displayed ie 'Invalid user-id and password' are visible, clear and is not truncated

Compatibility:

1) Check if everything works in different browsers

Integration:

1) If cookie or history is cleaned, the sign-on page should be re-loaded 

2) If browser is closed after sign-on check if the sign-on is not re-loaded on opening again 

3) Check if sign-on page works in browser incognito mode. 

4) Check if browser stores passwords in cookie during a session 

5) Check if browser stores passwords in local desk when 'remember me' option is checked

Performance:

1) sign-on to the application with multiple user accounts at the same time and capture latency of authentication

Appearance:

1) Check if images and favicon is loaded when the page is requested 2) Check if window is re-sized when browser size is changed

Security :

1) Check if the password is sent hashed or encrypted

2) and not (also) in plain text.

3) Check if it works without Javascript

4) Check that the underlying queries are sql injection safe. You don't want hackers to drop your tables using injection.

5) Verify https in url for login page.  S with Http mean secure http. If login is associated with http in url means you information to login in to application is not secure and anyone can access your information just by doing small effort. While HTTPS ensure encryption of information that is being sent to server from client end.

6) Verify ID in url while processing your request.  keep track on ID associated with your request url and ID associated with request url should be dynamic not static otherwise this may help some hacker to nab your information.

7) Check SQL injection. most devastating vulnerabilities to  impact a business, as it can lead to exposure of all of the sensitive information stored in an application’s database, including handy information such as usernames, passwords, names, addresses, phone numbers, and credit card details.

So I would suggest including this test cases if you are going to test some banking and insurance related application. Most common SQL injection that is used  or ‘1’=’1, if this got executed then be ready for the loss of your important information. If means hacker can login without any problem to system or application.

(The SQL Injection attack allows external users to read details from the database. In a well designed system this will only include data that is available to the public anyway. In a poorly designed system this may allow external users to discover other users' passwords.)

You an also try some security test with XSS. (There are many free tools are available for xss testing)

8) Verify account lock out, I would like to include this test case with priority, if user is using 3 or some specific number of time a wrong password then his/her account should be locked out and access should be allowed after certain assurance form filling or by calling customer care. This may help user from hackers hand.

9) Try some hit and trial username and password, before deploying application, username and password like Admin:Admin , Guest:Guest, some username :password, author:author  should be use to test but should be denied when application is deployed.
These all test not covering all types but also test the security of the application and other-thing of the application.
 But I am not saying that these test  are enough to test of application. Because security, privacy and some other important testing is the part of testing that does not have any relation with requirement document so more and more effort is needed if we are talking about the security of an application.