Few testing questions and answers

A notable Indian tester, Santhosh Tuppad has recently asked 18 testing questions to the testers around the world. He also announced prizes (testing books) for the winners (applicable for testers from India). Although the contest is supposed to end by the time this post will be published, I don’t see answering few of them is unworthy.

1. What if you click on something (A hyperlink) and to process or navigate to that webpage you need to be signed in? Currently, you are not signed in. Should you be taken to Sign up form or Sign in form? What is the better solution that you can provide?

Sign in page

When I click on a hyperlink (pointing to a web page) either from another web page or from any other places, I expect my default browser will be opened up and take me to the page directly (few automatic redirection is acceptable but too many is a pain). If authentication is required to view the page, the application can redirect (as I am not signed in currently) me to its login page with a noticeable message. The message should clearly state that I am here because I am not logged in but this page requires to be logged in. After providing my credential and clicking on Login button, the application should take me to the target page directly (without any more clicks). Well, I might not have an account to login to the site. So, I would expect a sign up link in the login page so that I can continue.

What if an application has no special sign in page but the sign in form is embedded into another page e.g. home page? The application can redirect me to the home page in such case. But again I would expect a clear message just around the login block, saying that why I am here and what I need to do.

Sign up page

If someone is really new to the site, it might be helpful for him to go to the sign up page (with proper message) directly. But how the application will detect whether the person is really a first time visitor?  If it could it would be awesome.

Neither sign in nor sign up

I know the link I clicked on is a secure (login required) page. I also know I am logged in as a domain user in my office and the site can authenticate me through active directory services. In such situation, I would expect to land on the requested page directly without login/signup.

 

2. Using “Close” naming convention to go back to the homepage is good or it should be named as “Cancel” or it is not really required because there is a “Home” link which is accessible. What are your thoughts?

Close button/link is generally used to close a window/tab. Cancel button/link is generally used to cancel an in-progress operation or close a modal window. If you think your user might need to go back to home page any time, why would you confuse your user by ‘Close’ or ‘Cancel’ button/link, why not ‘Home’ or ‘Back to Home’ simply?

 

3. Logout should be placed on top right hand side? What if it is on the top left hand side or in the left hand sidebar which is menu widget like “My Profile”, “Change Password” etc. — Is it a problem or what is your thought process?

It is okay to place it in top-right or top-left or any other commonly used places (e.g. at the bottom of left menu). It doesn’t cause much problem once user knows where it is. But if you hide it inside another thing (e.g. under an irrelevant menu, under a collapsible panel, only in a specific page) or move it around, that might cause problem some users.

 

4. Current design of forgot password asks for username and security answer and then sends a link to e-mail inbox to set new password. How does “security answer” increase the cost of operations? Also, what questions do you frame for security questions?

What if I forgot my username too?

Really, I do forget my username sometimes. I think many others like me forget their usernames too. Probably I would never forget it if I could use my first name everywhere. Some applications consider my email address as the username while others give me option to set my own username. Those who allow choosing a username don’t allow duplicate. Hence, I can’t stick to a single username.

What if I can’t remember my security answer?

Those who choose different set of questions and answers among the various applications, they might forget the answer. Typically if someone forgot security answer, she has to contact with customer care and thus it increases cost of operations.

What questions do you frame for security questions?

I don’t care what questions they provide, I just choose one randomly. Whatever question I choose, the answer remains same. I consider it as another password. This way, I try to protect myself from social engineering attack. But I see two problems:

  1. Security answer box is often unmasked. Anyone behind me can see my answer.
  2. Browser remembers what I typed in the answer box.

 

5. If you had to design “Forgot Password” working, how would you do it and why? You are free to give different many functional designs.

https://www.owasp.org/index.php/Forgot_Password_Cheat_Sheet

Do you think others should know this?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>