Interview #99: Write negative Test cases for “Reset Password” feature

The Reset Password feature is crucial for user account security, allowing users to regain access when they forget their password. While positive test cases ensure the feature works as expected, negative test cases help identify potential vulnerabilities, security loopholes, and usability issues.

Disclaimer: For QA-Testing Jobs, WhatsApp us @ 91-9606623245

Negative testing involves testing invalid, unexpected, or edge-case scenarios to verify that the system can handle errors gracefully. Below are various negative test cases that should be considered while testing the Reset Password functionality.

2. Negative Test Cases for Reset Password

A) Invalid Email or Username Handling

These test cases ensure that the system correctly handles incorrect credentials.

1. Non-registered email address

• Enter an email that is not associated with any account and check if an appropriate error message is displayed.
• Expected Result: "This email is not registered with us."

1. Incorrect username (if applicable)

• Enter a non-existent username and attempt to reset the password.
• Expected Result: "Username not found."

1. Empty email field

• Submit the reset request without entering an email.
• Expected Result: "Email field cannot be empty."

1. Invalid email format

• Enter an email with an incorrect format (e.g., user@com, user.com, @gmail.com).
• Expected Result: "Please enter a valid email address."

1. Email with extra spaces

• Enter an email with leading/trailing spaces and submit.
• Expected Result: System should trim spaces or display an error message.

B) Security and Rate-Limiting Checks

These test cases validate the system’s resilience against security threats.

1. Excessive reset attempts (Brute Force Prevention)

• Try multiple password reset attempts for the same email within a short period.
• Expected Result: System should limit attempts and display "Too many attempts, please try again later."

1. Rate-limiting across multiple IP addresses

• Attempt multiple password resets from different IPs for the same account.
• Expected Result: System should detect abnormal activity and block further attempts.

1. No rate-limiting (Spam Attack)

• Use an automation script to flood the system with reset requests.
• Expected Result: The system should detect spam requests and block excessive attempts.

1. Reset link sent to multiple users for the same account

• Try requesting a reset from multiple devices/emails and check if multiple links are generated.
• Expected Result: The latest reset link should invalidate the previous ones.

C) Password Reset Link Issues

Verifying security and usability aspects of the reset link.

1. Expired reset link

• Use a password reset link after the expiration period (e.g., 24 hours).
• Expected Result: "This reset link has expired. Please request a new one."

1. Reset link used multiple times

• Try using the same reset link twice.
• Expected Result: The second attempt should be blocked with a "This reset link has already been used" message.

1. Tampered reset link (URL Manipulation)

• Modify the reset link URL and check if unauthorized access is granted.
• Expected Result: The system should reject modified links.

1. Reset link without authentication validation

• Open the reset link on a different device or browser.
• Expected Result: System should verify user identity before proceeding.

1. Reset link accessed after account deletion

• Delete the account after generating the reset link and then attempt to use it.
• Expected Result: "Account does not exist" message should be displayed.

D) Password Complexity and Validation

These test cases verify that the new password meets security requirements.

1. New password same as old password

• Try setting the new password identical to the old one.
• Expected Result: "New password cannot be the same as the old password."

1. Weak password (if password policy exists)

• Enter a password that does not meet the required complexity (e.g., 12345).
• Expected Result: "Password must contain at least 8 characters, including uppercase, lowercase, numbers, and special characters."

1. Mismatch between new password and confirm password

• Enter different passwords in the "New Password" and "Confirm Password" fields.
• Expected Result: "Passwords do not match."

1. Password with leading or trailing spaces

• Enter a password like " myPass123 " (with spaces at the beginning or end).
• Expected Result: System should trim spaces or display an error message.

1. Using previous passwords (if password history enforcement exists)

• Attempt to set a password that was used previously.
• Expected Result: "You cannot reuse your previous passwords."

E) Edge Cases and Miscellaneous

Handling unexpected user behavior.

1. System crash during password reset

• Simulate an unexpected system crash or network issue while resetting the password.
• Expected Result: Ensure the process resumes correctly without inconsistencies.

1. Session expiry during password reset

• Stay idle for an extended period on the reset page and then submit the form.
• Expected Result: "Session expired, please restart the process."

1. Reset link sent to wrong user (email spoofing attempt)

• Check if an attacker can receive the reset link of another user by modifying the email parameter.
• Expected Result: The system should verify ownership before sending reset links.

1. Requesting a reset while already logged in

• Attempt a password reset while the user is logged into the account.
• Expected Result: System should either log the user out or prompt confirmation.

1. No feedback message after requesting reset

• Submit a reset request and verify if feedback is provided (even for non-registered users, to avoid account enumeration attacks).
• Expected Result: "If this email is registered, you will receive a reset link."

3. Conclusion

Testing the Reset Password feature with negative test cases ensures security, reliability, and usability. By covering invalid inputs, security vulnerabilities, and edge cases, testers can identify weaknesses that could be exploited by attackers or cause user frustration. Implementing proper validation, rate-limiting, and secure password policies enhances overall system security and user experience.