For anyone finding this from search, if using Django, then you can also use the constant_time_compare
function in django.utils.crypto
.
>>> from django.utils.crypto import constant_time_compare
>>> constant_time_compare("foo", "bar")
False
>>> constant_time_compare("foo", "foo")
True
That this comes with the same caveat as hmac.compare_digest
(and actually uses hmac.compare_digest
if it exists):
Note: If a and b are of different lengths, or if an error occurs, a timing attack could theoretically reveal information about the types and lengths of a and b–but not their values.