Few testing questions and answers

A notable Indian tester, Santhosh Tuppad has recently asked 18 testing questions to the testers around the world. He also announced prizes (testing books) for the winners (applicable for testers from India). Although the contest is supposed to end by the time this post will be published, I don’t see answering few of them is unworthy.

1. What if you click on something (A hyperlink) and to process or navigate to that webpage you need to be signed in? Currently, you are not signed in. Should you be taken to Sign up form or Sign in form? What is the better solution that you can provide?

Sign in page

When I click on a hyperlink (pointing to a web page) either from another web page or from any other places, I expect my default browser will be opened up and take me to the page directly (few automatic redirection is acceptable but too many is a pain). If authentication is required to view the page, the application can redirect (as I am not signed in currently) me to its login page with a noticeable message. The message should clearly state that I am here because I am not logged in but this page requires to be logged in. After providing my credential and clicking on Login button, the application should take me to the target page directly (without any more clicks). Well, I might not have an account to login to the site. So, I would expect a sign up link in the login page so that I can continue.

What if an application has no special sign in page but the sign in form is embedded into another page e.g. home page? The application can redirect me to the home page in such case. But again I would expect a clear message just around the login block, saying that why I am here and what I need to do.

Sign up page

If someone is really new to the site, it might be helpful for him to go to the sign up page (with proper message) directly. But how the application will detect whether the person is really a first time visitor?  If it could it would be awesome.

Neither sign in nor sign up

I know the link I clicked on is a secure (login required) page. I also know I am logged in as a domain user in my office and the site can authenticate me through active directory services. In such situation, I would expect to land on the requested page directly without login/signup.

 

2. Using “Close” naming convention to go back to the homepage is good or it should be named as “Cancel” or it is not really required because there is a “Home” link which is accessible. What are your thoughts?

Close button/link is generally used to close a window/tab. Cancel button/link is generally used to cancel an in-progress operation or close a modal window. If you think your user might need to go back to home page any time, why would you confuse your user by ‘Close’ or ‘Cancel’ button/link, why not ‘Home’ or ‘Back to Home’ simply?

 

3. Logout should be placed on top right hand side? What if it is on the top left hand side or in the left hand sidebar which is menu widget like “My Profile”, “Change Password” etc. — Is it a problem or what is your thought process?

It is okay to place it in top-right or top-left or any other commonly used places (e.g. at the bottom of left menu). It doesn’t cause much problem once user knows where it is. But if you hide it inside another thing (e.g. under an irrelevant menu, under a collapsible panel, only in a specific page) or move it around, that might cause problem some users.

 

4. Current design of forgot password asks for username and security answer and then sends a link to e-mail inbox to set new password. How does “security answer” increase the cost of operations? Also, what questions do you frame for security questions?

What if I forgot my username too?

Really, I do forget my username sometimes. I think many others like me forget their usernames too. Probably I would never forget it if I could use my first name everywhere. Some applications consider my email address as the username while others give me option to set my own username. Those who allow choosing a username don’t allow duplicate. Hence, I can’t stick to a single username.

What if I can’t remember my security answer?

Those who choose different set of questions and answers among the various applications, they might forget the answer. Typically if someone forgot security answer, she has to contact with customer care and thus it increases cost of operations.

What questions do you frame for security questions?

I don’t care what questions they provide, I just choose one randomly. Whatever question I choose, the answer remains same. I consider it as another password. This way, I try to protect myself from social engineering attack. But I see two problems:

  1. Security answer box is often unmasked. Anyone behind me can see my answer.
  2. Browser remembers what I typed in the answer box.

 

5. If you had to design “Forgot Password” working, how would you do it and why? You are free to give different many functional designs.

https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet

How to recover your hacked yahoo account?

I know how much tensed you are if hackers have been compromised your free yahoo account. Many important documents, files, pictures are there. The most important thing is, you have registered in many websites using that account. No doubt, hackers will compromise those accounts as well if you are late to recover it.  After compromising an account hacker resets the current password so that the owner of the account cannot login at least during his next few operations. Then he changes few important information such as zip code, alternate email address and security questions so that the owner cannot reset his password by using Yahoo Password Helper. After doing all these basic tasks he goes to inbox and searches with keywords like “account information”, “username”, “password”, “credit card”, “master card”, “paypal”, “love”, “sex” etc.

Anyway, you have already wasted your time on internet looking for hopeless tricks to recover old password.  Don’t worry, I will not waste your time anymore. Here are the tricks to get back your account. Go to https://edit.yahoo.com/forgotroot (Or, click the ‘I can’t access my account’ link from yahoo login screen) then follow the steps:

Step1

What's the problem you are experiencing

Step 2

Please select an option to reset your password

Step3

We'll help you to sign into yahoo[/caption]

Step4

Please select an option to reset your password

Step5 (ACTUAL TRICK)

Please answer your secret question

You are thinking that the steps described here are not new, probably you already have tried this. And you got that in the last step, the security question is asked not yours, that are hacker’s one. It might seem to you as the hackers already have changed the security questions and answers, you have nothing to do here. Another thing you might have noticed that the security questions are same as you set but yahoo are not taking your answer as correct one. This is because the hackers have set new answers of your questions. Well, perhaps you have also tried with your alternate email address but you failed because the hackers have changed the alternate address too.

Seems, no way to get back the account. But there’s a way, very simple. Look at the image of Step5, specially look at the red rectangle area. See there is a link, “This is not my question”. Clicking on that link, yahoo will show you the old initial question(s) that you set for your security. No matter how many times hackers have changed your security questions and answers, you still get your question sets. This is a new feature yahoo implemented recently to give the original owner chance to get back the account. By the way, changing the security questions are not straight forward like Gmail. As far as I know there are three ways to do that.

  • Sending a change request email to my-login-request@yahoo-inc.com
  • Submit your questions through a form
  • Just after finishing the password retrieval process, it gives an option to change security questions.

I tried with the first option it returned back me a message saying that “Thank you for contacting Yahoo! Customer Care. Unfortunately an agent cannot respond to your question until it is submitted through a form on our Help pages.”

Then I submitted through their form but didn’t get any reply yet.

The 3rd option works. I can add new security questions-answers through this process but the problem is I cannot remove or change my initial questions.

However, it seems a great feature to remember old initial security questions for the account owner but what about for the hackers? Imagine, what happens when someone knows the answers to your secret questions. Actually your account has been compromised using your secret questions-answers. May be the hacker is your ex-bf or ex-gf who knows your favorite foods, father’s birth location, what is your first phone number, where did you born etc. Let’s say, you have been hacked and you recovered your account using that cool feature and now if you want to change them to be more secure, the hacker can always select “This is not my question” and go back to the previous question.

So, the old questions should be expired after a certain period, shouldn’t it? I believe there is a way to change old security questions but I’m quite sure there is no quick way right now.