Reset password testing

Has some one experience in “Reset password” testing. What is the best efficient way ?

The efficient process is to specify the reset procedure upfront. Make sure you answer the following questions:

  • are we asking for a username or an email or both?
  • are team administrators involved in approving the password reset procedure?
  • are we asking additional questions to validate the authenticity of the reset request like what is your full email (showing j***.**e@x**l.com for jane.doe@example.com)?
  • do we notify about non-exiting username/email reset request?
  • how long are we allowing the reset token to live?
  • do we allow one time usage of the reset token?
  • what is the procedure for an invalid reset token?
  • what is the procedure for an expired reset token?
  • do we allow previous used passwords?
  • do we enforce strong passwords?
  • do we stop the session after a successful new password creation and have the user authenticate again?
  • do we notify the user about the new password creation? If yes, which forms of notification are used/required?
  • do we need to propagate the new password on other systems as well?

Once you have clear answers you can work out test cases you execute.

I hope this answers your question a bit.

4 Likes

Thanks Michelangelo your questions are very help full :-). Greetings from the sunny Netherlands

1 Like

I agree with Michaelangelo that you should understand and scrutinise the procedure first. I’ve had experience with a password reset procedure that “worked” as originally requested, but what was originally requested was grossly insecure.

For example, all new passwords sent via email and generated from a limited bank of saved passwords… No requirement to mask the password when the email was recorded on the system notes…

It “worked” but it was awful. Test the requirements as well as the product :slight_smile:

Good luck!

Cassandra

4 Likes

Thanks Cassandra for the great tip :slight_smile:

1 Like

“do we notify about non-exiting username/email reset request?”

We do not. Under any circumstances. Anything other than an actual communication failure should be treated as a success with an appropriate 200 returned. It is a data leak and a security hole otherwise.

By the same token, we should always return a generic authentication failure on login regardless of whether it was the username, the password, or both that failed. Again, this is a data leak and enumeration vector for attack.

Reference in the same vein - https://www.owasp.org/index.php/Testing_for_Account_Enumeration_and_Guessable_User_Account_(OTG-IDENT-004)

Hey @davidshute, I completely agree with you about best practices and improved security, but I still see lots of web applications presenting a nice error if the email address is not found. Nicest example is at pingdom.com.

So stepping away from security aspects, if it’s a business requirement you still need to test for it. And some sites send you in clear text your original password which is even worse, but these sites still exist and are hard to ignore them.

Usernames and Passwords are very essential for creating any account like email accounts, Social websites accounts etc. Nowadays, e-commerce is growing very rapidly and we need to remember a lot of passwords. So, ‘Reset Password’ is very important aspect for every application. Most of Software testing companies pays a lot of attention to test this. To test ‘Reset password’, we generally perform following steps :

  1. ‘Reset Password’ link should be displayed on Login screen.
  2. On clicking link, ‘Forgot password page’ should gets loaded.
  3. For most secure sites, following click-able options are displayed:
    a. Security Questions (Questions with answer are submitted during registration) like Favorite teacher name, Birth place etc.
    b. OTP verification (Mobile Number saved at the time of registration).
  4. Clicking ‘Security Questions’ link, directed to ‘Security questions’ page on which adding correct answers leads to Next (Reset Password) page.
  5. On Clicking ‘OTP verification’ link, directed to ‘OTP verification’ page where on adding correct OTP code from registered mobile number leads to Next (Reset Password) page.
  6. Contents available on ‘Reset password’ page are:
    a. New Password with editable field
    b. Confirm Password with editable field
    c. ‘OK’ click-able button
  7. Criteria applied on both ‘New Password’ and ‘Forgot Password’ fields should be like (Its not mandatory):
    a. At-least six characters
    b. At-least one ‘Numeric’ data
    c. At-least one ‘Special’ character
  8. On clicking ‘OK’ button after adding correct and same data in both ‘New Password’ and ‘Confirm Password’ fields, pop-up message for ‘Password successfully changed and now login again’ link appears.
  9. On clicking ‘Login again’ link, helps in redirecting on main Login page.
  10. Check that, user able to login to the account with new Password.

Hope this information will be helpful for you.

3 Likes

Hi @soconnor2017 it can be automated to make testing more efficient. Create a test login on sign up and use some free temporary email service like Guerrilla Mail (using a long, randomly generated email address). Then you can automate the password reset functionality and automate the checking, as it is all web based.

1 Like

Reset password (CMS)

The reset password should be have unique token.
There should have only once time access to open link.
If user open reset password link again and again then the
If user want keep New password as old password then there should be allow to same password.
If user make field as blank then there should be display the validation message " the field is required."
If user enter the new password and confirm new password is different then there should be validate the the both password and validation message should be display in below password field.
If user want password keep as only characters or Only number or only special character then there should be allow.
If there is limit of password then there should be display validation message when user is enter less than set limit of password. Example: there is allowing only 8 digit password & user enter the only 6 digit then there should be display the validation below password password “The password must be 8 Characters.”
If in password have any format then the password should be validate with set password. and there should be display the validation message. Example" The must be include at least 3 Capital letter, 1 special character & small letter."
After success fully validate if user click on save button then there should be display Success message and There should be auto redirect to login screen.
After successfully changing of password in login screen if user try to loign using old password then there should be display “Incorrect username/password.”
In change password if user fill the all field and click on refersh then there should be clear the form.
There should not allow copy paste of passowrd.
There should be set maximum limit of password.
Submit button should be enabled in all cases.

Change password

There should be three fields Old passowrd, New Password & Confirm New password.
If user want keep New password as old password then there should be allow to same password.
If user make field as blank then there should be display the validation message " the field is required."
If user enter the Old password is incorrect then the password should be validate and then the error message should display in top of of page/Modal “Old password is incorrect.”
If user enter the new password and confirm new password is different then there should be validate the the both password and validation message should be display in below password field.
If user want password keep as only characters or Only number or only special character then there should be allow.
If there is limit of password then there should be display validation message when user is enter less than set limit of password. Example: there is allowing only 8 digit password & user enter the only 6 digit then there should be display the validation below password password “The password must be 8 Characters.”
If in password have any format then the password should be validate with set password. and there should be display the validation message. Example" The must be include at least 3 Capital letter, 1 special character & small letter."
After success fully validate if user click on save button then there should be display Success message and there should be auto logout after few second and need to display again login screen.
After successfully changing of password in login screen if user try to loign using old password then there should be display “Incorrect username/password.”
In change password if user fill the all field and click on refersh then there should be clear the form.
There should not allow copy paste of passowrd.
There should be set maximum limit of password.
Submit button should be enabled in all cases.

Forgot password

User enter the inactive user email address then there should be display validation message for “Inactive user.”
User enter the Deleted user Email Address then there should be display validation message for “Invalid username” or “User not exist.”
If user enter the Invalid email address like, “akshata@” there should be display the email address validation message “Email address should be in format.”
If user apply again and again forget password then previous link of reset password should be expired.
If user apply again and again forgot password then always get Email realted reset password link.
The reset password form should be open in new tab or new screen.
To check whether when we select the forgot password link it is directing to forgot password link page.
To check whether in that page it must ask for alternative email id to send the link .
To check whether the link has sent to the mail to which the user has provided .
To check whether the link can be used once once .
To check whether when the user using the link for more than one time it should be dissolved .
To check whether the user opens the link it should ask the security question same at the time he registered .
To check whether the answer given by the user at that time and he has given while at the time of registering must be the same .
To check whether the user gives any wrong answer then it must ask for the user to wait and to get more details to get his password .
To check whether the user gives the correct answer then the link should move to new password page .
To check whether the user enters the new password and retype the password both should match until new password should not be settled .
To check whether once the password is setted then the account should ask the user to move to his account or exit
To check whether the user now logins with new password it is working
In Logs should not display the Passowrd.