diff --git a/lib/hashing_passwords.py b/lib/hashing_passwords.py
index 93ae5e12..4540db75 100644
--- a/lib/hashing_passwords.py
+++ b/lib/hashing_passwords.py
@@ -20,6 +20,7 @@ import hashlib
 from os import urandom
 from base64 import b64encode, b64decode
 from hashlib import pbkdf2_hmac
+from hmac import compare_digest
 
 
 # Parameters to PBKDF2. Only affect new passwords.
@@ -53,9 +54,4 @@ def check_hash(password, hash_):
     hash_a = b64decode(hash_a.encode('utf-8'))
     hash_b = pbkdf2_hmac(hash_function, password, salt.encode('utf-8'), int(cost_factor), len(hash_a))
     assert len(hash_a) == len(hash_b)  # we requested this from pbkdf2_bin()
-    # Same as "return hash_a == hash_b" but takes a constant time.
-    # See http://carlos.bueno.org/2011/10/timing.html
-    diff = 0
-    for char_a, char_b in zip(bytearray(hash_a), bytearray(hash_b)):
-        diff |= char_a ^ char_b
-    return diff == 0
+    return compare_digest(hash_a, hash_b)