Constant time comparison
== to compare sensitive hashes leaves you vulnerable to timing attacks.
This is because
false as soon as it finds two characters that
don't match. An attacker can make many requests with different values and
compare times to figure out how many characters were correct (the shorter the
response, the fewer correct characters).
The solution to this problem is to use a constant-time comparison algorithm.
This ensures that the method will always take the same amount of time,
regardless of how similar the hashes are. In Ruby, you can use
For more information, check out this excellent blog post.