[paulgb]

If the attacker had a video camera and the victim was a slow enough typer (I'm thinking hunt-and-pecker), brute force wouldn't even be necessary. You could incrementally build up a string that matched the password as each letter was typed using the hash generated after each letter is typed.

Fidelity of the graphs wouldn't matter at this point, you would just take the closest match and backtrack if necessary.

[tptacek]

Oh wow, I didn't even notice that it generated graphs on a keystroke/timer (though, I mean, duh). Wow, is this bad. Number of mask dots, 2 midpoint colors, and the final color; how many passwords in any dictionary does that reduce to?