Constant-time string comparison to prevent timing attacks

[mgates]

return password == "password" is vulnerable to timing attacks. Something like https://github.com/PeterScott/streql should be used to prevent them.

I can make a PR if you want.

[mdavis-xyz]

Would this slow down the performance of web pages noticeably? If so, should we make this optional?