Couldn't this introduce noticable input lag? (As if that wasn't bad enough already for some drivers) this feature would need to be something that can be toggled.

More about keystroke fingerprinting by Paul Moore here - https://paul.reviews/behavioral-prof...u-cant-change/ - he also developed a Chrome extension for this named KeyboardPrivacy.

You could run that extension if you use Chrome and see if you notice any delays. I haven't really noticed any delays to be honest.

Duh, just use NoScript, and avoid using websites like Facebook and Google. It's actually not hard.

I think that if somebody wants real anonymity surfing Internet using Tor Browser or other browser, he should not only set maximum security in TorButton's options, but also but also completely disable Javascript using about:config -> javascript.enabled = false.
I know this is radical step and will break some websites, but in my opinion it is needed.

But I personally sometimes surf Internet/clearnet using Tor and not have need for real anonymity, so I have Javascript enabled. I just put this as side note/reminder.

Neah, it probably just adds a few ms tops. Stuff you won't notice.
And then it get interesting to try to filter the real keystroke length by filtering out the noise introduced by the added random duration. And then we start crying that phones need more than 8 cores

Running without Javascript is unique enough to be a fingerprint by itself.

@Zan Lynx
But:
1. In Tor network this is not so uncommon
2. If somebody wants to deanonimize you, she needs to connect yours real identity with pseudonyms/logins used through Tor network. Information that some user of Tor network is not using Javascript - I don't see way to help by this to connect real ID and pseudonyms.
If you are not using JS in Tor Browser it does not mean that you are not using JS in other browsers, like Firefox, when you are not using Tor.

Javascript can expose a lot of things to web pages like:
1. time
2. battery info
3. Fingerprint through rendering canvas
4. fingerprint through behaviour of keyboard
5. fingerprint through behaviour of mouse
and so on
and makes larger attack vector for vulnerabilities, exploits and makes some vulnerabilities exploitable at all

a list of extensions installed in your browser, which is more than enough information to fingerprint an user.
as other people have said already... the solution to this problem is to use NoScript, or simply disable javascript.

I would admit uBlockO and uMatrix addons, they work for both FF-based and Chrome-based things and are easy to use. I can also admit uBlockO (O for Original, due to storyline quirks XD) is also very lihtweight adblocker, unlike adblockplus and somesuch. Not to mention it lacks "acceptable ads" treachery and pages actually load faster and use less RAM with uBlockO, while adblockplus could easily slow down page loading (!!!).

Not to mention NoScript is a privacy intruder on their own. They have "WAN IP ∈ LAN" setting. How do you know they learn your WAN IP? NoScript is phoning home, learning how their server sees your IP. Needless to say it breaks privacy since browser phoning home to some 3rd party. Furthermore, they're fairly annoying with their ads on each and every update. To the date, uBlock and uMatrix are bullshit-free and easy to use. Furthermore, using uMatrix one can even filter browser's/addons "internal" activity, via "behind the scene" scope. This can break quite some things, but filters EVERYTHING, even browser's own attempts. Works best on FF-like things though, snice Chrome has got some "critical" URLs hardcoded, so one can't get complete rid of nasty google "services" in chrome-like browsers by add-ons, only patching source would help.