How to Test Forgot Password on Web (Complete Guide)

The "Forgot Password" feature is a critical component of any web application. While often overlooked, its reliability directly impacts user experience and account security. A broken password reset flo

Mastering Forgot Password Flows: A Practical Guide for Web Application Testing

The "Forgot Password" feature is a critical component of any web application. While often overlooked, its reliability directly impacts user experience and account security. A broken password reset flow can lead to frustrated users, abandoned accounts, and potential security vulnerabilities. This guide details how to thoroughly test this essential functionality.

Why Forgot Password Testing is Crucial

Users forget passwords. It's an inevitability. A smooth, secure password reset process is paramount for retaining users and maintaining trust. Common failures include:

• Unsent or delayed reset emails: Users never receive the crucial link.
• Invalid or expired reset links: Links that don't work or time out too quickly.
• Insecure token generation: Predictable or easily guessable tokens.
• Lack of rate limiting: Allowing brute-force attacks on the reset mechanism.
• Poor error handling: Vague or unhelpful messages when something goes wrong.
• Accessibility barriers: Users with disabilities unable to complete the flow.

Comprehensive Test Cases for Forgot Password

A robust testing strategy covers happy paths, error conditions, and edge cases.

#### Happy Path Scenarios

1. Successful Email Reset:

• Enter a registered email address.
• Receive a password reset email with a valid, clickable link.
• Click the link, land on the password reset page.
• Enter a new, strong password and confirm it.
• Receive a confirmation of successful password change.
• Log in with the new password.

1. Successful Username/Phone Reset (if applicable):

• Follow the same steps as email reset, using the registered username or phone number.

#### Error Scenarios

1. Invalid Email Address:

• Enter a non-registered email address.
• Verify an appropriate error message is displayed (e.g., "No account found with that email address.").

1. Empty Email Field:

• Submit the "Forgot Password" form with the email field blank.
• Verify a validation error prompts the user to enter an email.

1. Invalid Reset Link (Expired/Used):

• Request a password reset.
• Wait for the link to expire or click the link twice.
• Attempt to use the expired/second link.
• Verify an appropriate error message is shown (e.g., "This password reset link has expired or is invalid.").

1. Password Mismatch:

• Enter a new password and a different confirmation password.
• Verify a clear error message (e.g., "Passwords do not match.").

1. Weak Password Policy Violation:

• Attempt to set a password that doesn't meet complexity requirements (e.g., too short, no special characters).
• Verify specific error messages indicating policy violations.

1. Rate Limiting - Multiple Requests:

• Request password resets for the same email address multiple times in rapid succession.
• Verify a "Too many requests" or similar message, and that subsequent requests are temporarily blocked.

#### Edge Cases

1. Special Characters in Email:

• Test with email addresses containing valid special characters (e.g., user.name+tag@example.com).

1. Case Sensitivity:

• Test if the email address input is case-sensitive for lookup.

1. Simultaneous Reset Requests (Same User, Different Devices):

• Initiate a reset on one device, then immediately initiate another on a different device for the same account. Observe system behavior and which reset token is considered valid.

#### Accessibility Considerations

1. Keyboard Navigation:

• Ensure all form fields, buttons, and links within the forgot password flow are navigable and operable using only a keyboard.

1. Screen Reader Compatibility:

• Verify that labels are correctly associated with form elements, error messages are announced, and the overall flow is understandable via a screen reader.

1. Color Contrast:

• Check that text and interactive elements have sufficient color contrast against their backgrounds, especially for error messages and links.

Manual Testing Approach: Step-by-Step

1. Access the Login Page: Navigate to your web application's login page.
2. Locate "Forgot Password": Click the "Forgot Password" or "Reset Password" link.
3. Enter Registered Email: Type a valid, registered email address into the provided field.
4. Submit Request: Click the "Submit" or "Send Reset Link" button.
5. Check Inbox: Open the inbox for the entered email address.
6. Verify Email Content: Confirm the email has arrived promptly, contains clear instructions, and a functional reset link.
7. Click Reset Link: Click the provided link.
8. Verify Reset Page: Ensure you are directed to the correct password reset page, not the login page.
9. Enter New Passwords: Input a new password and confirm it. Pay attention to password policy requirements displayed on the page.
10. Submit New Password: Click the "Reset Password" or "Save" button.
11. Verify Success Message: Look for a confirmation that the password has been successfully updated.
12. Test New Login: Attempt to log in using the newly created password.
13. Repeat for Error Cases: Systematically go through the error scenarios outlined above, documenting each observed behavior and error message.
14. Accessibility Check: Use keyboard navigation and a screen reader to test the entire flow.

Automated Testing Approach for Web

Automated testing is essential for regression and efficiency. For web applications, frameworks like Playwright and Selenium WebDriver are industry standards.

Playwright is a strong choice for modern web testing due to its speed, reliability, and robust API. It offers cross-browser support and auto-waits.

Example using Playwright (Node.js):

const { test, expect } = require('@playwright/test');

test('Forgot password flow', async ({ page }) => {
  // Navigate to the login page
  await page.goto('YOUR_APP_LOGIN_URL');

  // Click the forgot password link
  await page.click('text="Forgot Password?"');

  // Enter a registered email
  await page.fill('input[name="email"]', 'testuser@example.com');

  // Submit the request
  await page.click('button[type="submit"]');

  // --- This part is tricky for automation: Email reception ---
  // For email verification, you'd typically integrate with an email testing service
  // like Mailtrap, Ethereal, or use IMAP/POP3 if your test environment allows.
  // Assuming you have a way to get the reset link (e.g., from an email testing service API):
  const resetLink = await getResetLinkFromEmailService('testuser@example.com');

  // Navigate to the reset link
  await page.goto(resetLink);

  // Enter a new password
  await page.fill('input[name="newPassword"]', 'NewStrongPassword123!');
  await page.fill('input[name="confirmPassword"]', 'NewStrongPassword123!');

  // Submit the new password
  await page.click('button[type="submit"]');

  // Verify success message (adjust selector as needed)
  await expect(page.locator('text="Password reset successfully."')).toBeVisible();

  // Verify login with new password
  await page.fill('input[name="email"]', 'testuser@example.com'); // Or username
  await page.fill('input[name="password"]', 'NewStrongPassword123!');
  await page.click('button[type="submit"]');

  // Verify successful login (e.g., check for a dashboard element)
  await expect(page.locator('text="Welcome, Test User!"')).toBeVisible();
});

// Placeholder function for getting the reset link from an email service
async function getResetLinkFromEmailService(emailAddress) {
  // Replace with actual integration logic for your email testing service
  console.log(`Simulating fetching reset link for ${emailAddress}...`);
  // In a real scenario, you'd query your email testing service API.
  // For demonstration, returning a dummy link:
  return 'https://your-app.com/reset-password?token=dummy_valid_token_12345';
}

Key considerations for automation:

• Email Handling: Automating the verification of received emails and extracting reset links is a common challenge. Use dedicated email testing services (Mailtrap, Ethereal) or integrate directly with your mail server for programmatic access.
• Selectors: Use robust, stable selectors (e.g., data-testid, name attributes) to avoid brittle tests.
• Assertions: Verify that expected elements appear, error messages are displayed, and users are redirected correctly.
• CI/CD Integration: Ensure your automated tests can be triggered automatically on code commits using tools like GitHub Actions. The output should be in a standard format like JUnit XML for easy reporting.

How SUSA Tests Forgot Password Autonomously

SUSA's autonomous QA platform tackles forgot password flows by simulating real user interactions across multiple user personas. This dynamic testing approach uncovers issues that traditional scripted tests might miss.

• Curious/Novice Personas: Explore the flow naturally, looking for intuitive UI and clear instructions. They are likely to find usability issues or confusing error messages.
• Impatient Persona: Will rapidly click through, potentially exposing race conditions or issues with rapid form submissions.
• Adversarial Persona: Actively tries to break the flow by entering invalid data, attempting to reuse tokens, or bypassing steps. This persona is crucial for uncovering security vulnerabilities and robust error handling.
• Accessibility Persona: Specifically targets keyboard navigation, screen reader compatibility, and color contrast, ensuring the flow is usable by everyone. SUSA performs WCAG 2.1 AA testing as part of its autonomous exploration.
• Power User Persona: May try to exploit shortcuts or advanced features (if any exist in the flow), potentially revealing edge case bugs.

SUSA identifies:

• Crashes and ANRs (Application Not Responding): If the reset process causes the application to freeze or crash.
• Dead Buttons: Elements that are visible but non-interactive.
• Accessibility Violations: Detected by the Accessibility persona, adhering to WCAG 2.1 AA standards.
• Security Issues: The adversarial persona, coupled with SUSA's OWASP Top 10 checks and API security analysis, can detect insecure token handling, lack of rate limiting, and