So in practice it prevents the attack as real world attackers have limited resources and try to find easier targets.

That’s what everyone says until they realize they understated the costs to attempt such an attack.

	▲	ozim a year ago \| parent [-]
		That's true if you host wordpress or joomla or something that is widely used that would have timing attack, because then someone will automate it for sure. If you have your custom web app I don't think anyone will bother unless you are bank or something.