[beyondkaoru]

This sounds like it would be easily fixed using a this-page-only salt for your hashing function. I.e., when someone else visits the login page, they get a different salt and thus can't use that attack. This could be done on the server (if you use a dynamically generated page) or on the client (with some javascript).

[calambrac]

How do you know it's "someone else"? It's the login page, you don't know who you're displaying the page to yet.

And if you mean a different salt every time the page gets loaded: doesn't that completely skip the supposed point, which is to give the user a recognizable visual cue that they typed the right password?

[Meatshoes]

The demo seems to highlight its use as a visual cue that your confirmed password is the same as the original. Not that useful in my opinion, as one attempt at creating an account with non-matching passwords will tell you they don't match anyway, and you (usually) only create an account once.

Still, pretty cool demo and very nice colour schemes.