That's a very interesting interpretation of the linked papers.

While timing information may make brute force attacks against the passwords easier, it is not feasible to reconstruct passwords based on the timing information exposed by Ebay.

It is also worth noting that the ability to perform more efficient brute force searches doesn't really matter in the case of Ebay, as it will not make such attacks feasible over the internet.

Attacks only get better.

Sometimes they stay at exactly the same level forever.

Its a classic quote from Bruce Schneier. I should have attributed it. I thought the crowd would get it.

While often attributed to Schneier, he attributes it to the NSA https://www.schneier.com/blog/archives/2011/08/new_attack_on...

It is, and will remain impossible to deduce a victims password from such a small timing sample.

There simply isn't enough data.

I do trust you aren't an Ebay security team? ;)

http://www.wired.com/2011/10/iphone-keylogger-spying/ etc.

>I do trust you aren't an Ebay security team? ;)

Luckily, not my kind of a gig.

>http://www.wired.com/2011/10/iphone-keylogger-spying/ etc.

This attack depends on being able to identify individual keys so it's not really applicable here. However, a similar attack might be possible here if not for the very small sample size.

It was guessing pairs of keys. But anyway.