random delay does not fix the problem
A random delay on the error page does not prevent the timing attack. Only making all security checks uniform in runtime performance (between success and failure) will defeat the timing attacks.
1 publicly visible post • joined 22 Sep 2010