>If you manage to hack out a list of all 4-digit numbers that you recognize, it's trivial to bruteforce which of those numbers are for your cards or for some other security PINs.
While correct, I think you're missing something huge.
I'm not sure how long it takes for your brain to recognize a 4-digit number as something you "know". Absolute fastest would be something around 32/second, as I believe that's about as fast as your brain can view an image (movie frame rate). However, I'm reasonably sure it's much slower than this, and we haven't even factored in how long it takes the computer hooked up to your brain to recognize a change. So for the purposes of this argument, I'm going to say about one PIN per second.
So, for a 4 digit PIN, you can spend 9999 seconds to "hack" the mark's brain, and then try all those combinations that showed a recognition pattern. Or you could just brute force all 9999 permutations, likely at a much faster than 1 per second, without needing physical access to the mark, and without all sorts of crazy hardware.
Now you just show your mark each symbol to check if it's a part of the password, which would drastically and usefully reduce your search space (unless it a password that uses almost all ASCII characters, but those are extremely rare...).
No, the proposed method can't check if it's a part of the password, it can check if it's a part of a password/something the person has ever known. All alphanumerics would be included naturally.
The reason for PIN's is that if your pin is '8243', then that number will provoke a "recognition" response much different than, say, '8244' which (to you) is just a random number with no specific associations.
While correct, I think you're missing something huge.
I'm not sure how long it takes for your brain to recognize a 4-digit number as something you "know". Absolute fastest would be something around 32/second, as I believe that's about as fast as your brain can view an image (movie frame rate). However, I'm reasonably sure it's much slower than this, and we haven't even factored in how long it takes the computer hooked up to your brain to recognize a change. So for the purposes of this argument, I'm going to say about one PIN per second.
So, for a 4 digit PIN, you can spend 9999 seconds to "hack" the mark's brain, and then try all those combinations that showed a recognition pattern. Or you could just brute force all 9999 permutations, likely at a much faster than 1 per second, without needing physical access to the mark, and without all sorts of crazy hardware.