The linked paper says 5.7 bits of password entropy can be recovered by timing data; while the brute-force time will have changed in 22 years, this number should still be valid. An easy workaround is to use a password manager (a plain file as a minimum) and to copy/paste passwords in - though that might violate other security preferences.
Philipp Marek wrote:> An easy workaround is to use a password manager (a plain file as a minimum)If you can/want to use a file then consider using a key instead. publickey authentication is non-interactive on the wire and the key is already unlocked so packet timing leaks nothing about your passphrase. //Peter