Because it relies on the User to enter the correct string in the field - and the user may not understand exactly what should go here and why.
Hey guys, stupid user popping up again... :)
I was just playing with PM; seeing what happens with different settings - how does PM recognize the web site, what affects the password generation, etc.
I just discovered that I *completely* misunderstood how the URL fields are used.
As a result, I've got several sites with the same password.
Ok, I'm different - I make specific accounts for every site. (that's how I historically have done it; never occurred to me to change...)
I didn't realize that if there's nothing in the "Use this URL" field, then the URL isn't being used as part of the password generation.
I do have a URL in the "When URL contains" field, but changing that doesn't change the generated password. (I realize now that's being used only to recognize the web site)
What started this was playing with different ways to log in to ebay, and what's necessary to recognize a phishing URL. (i.e., "when URL contains "ebay.com/" is *not* enough - but if it's a phishing site, will a different password be generated... the way I'm set up, it won't! My goof, but there'll be others as dumb as me...)
I've got several accounts set up with the same user name, and nothing in the "use this URL" - they all get the same password. (although it happens I had them set for different lengths; that's why I didn't notice it at first)
So the actual page URL isn't being used at all in this case...
I found that if I went to eBay, logged out, then clicked the "log in" button I'd end up at a slightly different URL than if I went to the main page and clicked "log in".
When I used the default account, and set it to use the whole URL, I did of course get two different passwords.
That brings up the question - why isn't the URL components checkboxes available on the account-specific settings? (I guess because you can put whatever's to be used in the "use this URL" field... that makes sense - I just was looking for them)
I think my point in all this is that I'm supposedly reasonably intelligent, and if I'm confused by this, then how will my wife ever hope to use it?
(assuming that a goal is to get PM into the hands of general users - my wife is smarter - albeit not terribly computer-savvy - than 90% of the folks out there....)
Seems to me this breaks down into two parts:
1) how does PM find the account for the page the user is currently at. (and more importantly - how does a user understand when they've set something wrong, and PM doesn't recognize the right account! - I.e., user's set up "
www.ebay.com" 'cause that's what they type into the browser - but the URL is at "signing.ebay.com". The user's left sitting there with the wrong password, thinking "this thing is just broken!" - not good...)
(this ties in to phishing schemes too, btw - can't have URL-recognition be so fuzzy it matches to a phishing URL)
2) how should PM use the URL to generate the password - either of the site they're at in the browser, or subset/specified URL in the account settings -
when the user doesn't know a protocol from a tld?(the answer can't be "educate them" - good answer, but we're dealing with human beings so it fails right there. why does phishing work in the first place??? :(
Uh, for that matter - in the URL checkboxes - what's "anchor" refer to? I understand the rest, but that throws me.
(crap, I'm rambling again - one of these years I have to learn to write concisely...)
- Al -