The password for https://cdn-images-1.medium.com/max/800/1*wgrq2WIxhyBSfL1Tbr5Qbw.gif above is 'passwordpassword' -- this can be trivially determined by trying letters until the verification images are correct for each successive frame. (I did it by hand.)

This means that the master password is leaked if anyone can see your screen, including remotely etc. This is an unacceptable security risk.

I'd suggest that you shouldn't show any verification images until the user is done entering the password. Exactly what that means isn't entirely obvious, but I'd suggest it includes as a minimum

• minimum password length before showing any verification images, sufficient to make brute-forcing expensive even on 'correcthorsebatterystaple' type passwords with low entropy-per-character
• not showing images when the user still has focus on the text box; exceptions might be made if they're also hovering the copy button and haven't edited the password whilst doing so yet.
• reducing entropy in general in the final verification image -- a 99% verification accuracy is probably sufficient for a valid user who has typo'd their password but makes verification of a guessed password from the images more difficult for an offline attacker who has seen only the last image; I'm guessing the current verification image entropy is probably (10 colours * 100 emoji) ^ 3 images which rules out all but one in a billion passwords without querying the remote site, meaning 'correcthorsebatterystaple' type passwords need only dozens (69) of online attempts to get a password.