You can view source to see what they're using to generate the fingerprint: screenSize, devicePixelRatio, timezone, mimeTypes, plugins, httpAcceptHeaders, fonts. It's interesting that these are enough to generate a moderately unique fingerprint. I'm sure my fonts list is unique, so that's probably enough to ID me right there. However, not every computer I use has the same fonts installed, nor the same screen dimensions. This won't track me as I go from my desktop to mobile device.
Professional authentication managers such as RSA Adaptive Authentication can gather 40 or 50 data points from which to tell if a user is somewhat the same or not. They apply a ratio to the value generated by which a user can be redirected to a challenge question. It's not foolproof but it prevents a lot of automated phishing or botnet scams from being able to automatically log in with your credentials.
Yes, I tried Panopticlick on a number of different computers and it was always the fonts that gave them the most bits of entropy. I wonder if installing a couple of new fonts and deleting a few others (which I do from time to time) would make them believe I'm a different person...
But really, browsers should stop allowing scripts to access the full list of available fonts. What use does a website have for that data, anyway? Any site that doesn't want to use one of the standard fonts should be using webfonts nowadays.
I would say how unique the fingerprint really is is actually an important issue, I wonder how much traffic / time does it take before collisions start to occur. In the current setting it would probably suffice if the fingerprint generated one of just 100 or 500 values, the traffic is probably rather low and you visit the page for maybe few minutes and you probably won't go back to it in 3 days or even in 1 hour just to check whether some other guy didn't overwrite your secret word.
Regardless, it's a very interesting idea, and also picturing how difficult and counter-intuitive security can be if you do not study such issues, as an API designer I would surely have a hard time foreseeing that exposing the screen size or fonts list can turn out to be a security issues for the users.
That said, they can probably eventually start correlating the different fingerprints using other data, like device id, location patterns, etc. It would not be impossible to build a dossier of all your browsers and devices, especially if you ever log in to any online service from multiple machines.
