With the prevalence of phishing schemes now, I think this is an important feature - even more so for the average user than for the experienced folk. (fwiw, I consider myself pretty experienced, but I almost got caught by a phishing email last year - it was late, I was busy, and I got a report that my credit card had anomalous information posted, and "here's the link to your account" - dammed if I didn't click the link and get ready to enter the password before I caught myself!)
Having PM recognize "this isn't the right site" will create smiles every time it saves someone from a phishing scam. A Good Thing...
I have to admit, I didn't read the docs much, and I was confused by the two URL fields at first. (for that matter, I'm not sure if I understand all the nuances even now; gotta read the docs sometime... :)
Considering that there's a push to move the more-complex parts of the password configuration away from the more user-friendly parts, how about something along these lines?
The user would see two fields - the first is the actual URL; the one they *should* be at.
They'd also have a "what's important in this URL" field that shows what must match the URL in the browser for this account to be used for this site.
Something like:
Web site URL:
http://www.google.com/anythingImportant parts, to recognize this web site:
http://www.google.com/anythingThis shows that the entire thing must match for this account to genterate a password at this URL. If there's anything different (even https instead of http) it won't match and will be rejected; no password will be generated.
The user can adjust what's important (maybe highlight a part and tap a button that says "not important" or "important" ? Dunno...)
So they could make it:
Web site URL:
http://www.google.com/anythingImportant parts, to recognize this web site:
http://www.
google.com/anythingThis indicates that this account is valid with:
http://www.google.com/anythinghttp://google.com/anythinghttp://mail.google.com/anything[/li][/list]but would NOT work with:
http://www.google.com/anything/andsomethinghttp://www.google.com/somethinghttp://www.google.com.badguy.xyz/anything[/li][/list](the big question is: is this clear to general users? I suspect it isn't... so better is needed)
There could also be a "allow anything here" indicator:
Web site URL:
http://www.google.com/anythingImportant parts, to recognize this web site:
https
://www.
google.com/anything(allow any text)The idea here is to show that http:// is ok, https:// is also ok (i.e., the 's' is permitted but not required) and anything can follow the URL and it's ok.
Hmmm... even as I type this it seems ugly and confusing to me... How can it be made flexible to power users (RegEx seems reasonable - but you'll never in a million years get my wife or father-in-law to use 'em) and simple enough for the vast general user?
Another thought - won't the average user look at PM when it's NOT generating a password and just think "it's not working - it's broken" (meaning PM) - they won't recognize they're not where they think they are?
Should there be something like a "why isn't this generating the password?" button, so when they're at
http://www.mybank.com.ruinstead of
https://www.mybank.comthey can tap that button and see:
The top-level domain differs: ru instead of com
The second-level domain differs: com.ru instead of mybank.com
The entire host name differs:
www.mybank.com.ru instead of
www.mybank.comProtocol differs: http:// instead of https://
DANGER!YOU ARE NOT AT THE RIGHT WEB SITE!POSSIBLE PHISHING SCAM![/li][/list]Just imagine your non-expert friend's reaction when that happens and they realize PasswordMaker just protected them from losing their bank account. Think they'll tell all their friends how good PM is? :)
- Al -