Testing a login form seems a trivial process, but to keep up with security requirements and usability efforts, this trivial process has got very complex.
A few things we test for that were not mentioned in the PDF guide, are focused on testing the security of the login form.
- data overload: how much data can we submit through the form so the system fails. We copy a complete encyclopedia (~4GB of data) and paste it in the password input field as there is less validation on input.
- common password lookup: after the multiple breaches that occurred in the past decade, millions of passwords have been analyzed and a list is being published each year with the most common passwords (see WikiPedia). Is the login form performing a lookup in this list?
- JavaScript off test: since most forms are now making asynchronous posts using JavaScript for input validation and password strength checking, is the form still working when JavaScript is disabled?
When two-factor authentication is being provide, the tests are extending even further.
- test with invalid token
- test with valid token
- test with invalid backup code
- test with valid backup code
- test lockout procedure
- test recovery process
And when teams are involved, roles of team rights for account restore procedure needs to be tested as well.
I hope you like this addition and find it useful.