Passwords: check in constant time

The default password comparison logic does not use constant time validation. Switching to constant time offers a meager improvement by removing a timing oracle.

A prepatory step in moving to Argon2id password storage, since we'll need this change anyway after for validating existing passwords.

Co-authored-by: Graham Christensen <graham@grahamc.com>

Created by  Graham Christensen  on April 15, 2021
ASPD4MDNLVUI77M2JH2KHQUMIU5B2NRIKI7BXJVSQ3C7OGYEB3YQC
Change contents