[Nogwater]

What if they hack your dropbox account and get a copy of the vault that way? They're not on your box, but now they can try to break into your vault.

[gnud]

Well, the decryption code is open source. And they have the ciphertext. So what does a timing attack give the attacker?

If keeppass removes the possible timing attack, the attacker could just add it back in and use their own client, if they have a copy of your database.

[imglorp]

Then a timing side channel is not relevant, because they won't be watching you operate the vault. Right?