[nullc]

In fact, I declined to post the implementation for that reason.

I'm not sure if you read my writeup but I attempted to address that "users only glance at one or two characters" by suggesting the client show the users which characters to compare. It's a little kludgy with a text UI, however.

The idea is that the field of characters is large enough that comparing only a few is fine-- so long as they're selected in a way which isn't predictable to the attacker.