I answered by explaining that I would first validate positive scenarios (correct username and password), then negative scenarios (wrong credentials, blank fields, special characters), boundary cases (minimum and maximum input lengths), usability checks (error messages, alignment), and security aspects (SQL injection attempts, session handling). I emphasized documenting test cases clearly and reporting defects with proper steps to reproduce.