login handler: Use constant-time comparaison for hashes.
An attacker knowing the salt but not the hash could try timming-attacks to guess a password hash and then try to find it from the hash. Although not a high risk, there is no good reason not to use a constant-time comparison, hence this commit.
Showing
Please register or sign in to comment