The card below is the “product under test”. Use guided mode to see the bug list upfront, or blind mode to find them yourself first.
Techniques: Boundary value analysis, Error guessing
🔐
Waka Digital
Set your password
Your findings
0 / 0 bugs foundTick each bug as you confirm it on the page above. Progress saves automatically.
Write down every bug you find. Be specific — where it is, what’s wrong, what it should be.
Planted bugs (5)
- The password input has
minlength="12"but the pattern attribute is(?=.*[A-Z])(?=.*[a-z])(?=.*\d).{8,}which only requires 8 characters. A password of 9–11 characters that satisfies the pattern will still fail browser validation because of minlength. The two constraints contradict each other. - The password input has
maxlength="20". This blocks longer passphrases (e.g. “correct-horse-battery-staple” = 28 chars) which are often more secure and memorable than short complex passwords. Modern guidance recommends minimums, not arbitrary maximums. - The helper text says “one special character” is required, but the regex pattern does not include a special-character lookahead such as
(?=.*[!@#$%^&*]). The hint and the actual validation disagree. - The password strength indicator is static HTML. The bar never moves, no colour changes, and no criteria are checked off as the user types. There is no JavaScript updating the indicator, making it a decorative lie.
- There are three different minimum length values on the page: the password field has
minlength="12", the pattern says.{8,}(8 characters), and the confirmation field’s helper text says “Minimum 10 characters”. All three should agree on a single minimum.
Password rule testing: verify that every constraint (minlength, maxlength, pattern, helper text, live feedback) is internally consistent and follows current security best practices. Arbitrary maxlength limits and contradictory rules are common sources of user frustration.