Why not just use a video camera to watch them type on the keyboard? Plus, mobile devices show the last character typed. You're right, but this could be avoided by (for example) only displaying colors after 4 characters are typed
I think a better solution would be to only show the colour hash after there hasn't been a keypress in a few seconds. This would likely be a pretty good way of making sure you only displayed the hash after they were done typing their password, which would prevent enabling a brute force attack.
