diff --git a/gratipay/security/crypto.py b/gratipay/security/crypto.py
index 6644ff6c41..4ebf54f415 100644
--- a/gratipay/security/crypto.py
+++ b/gratipay/security/crypto.py
@@ -5,6 +5,7 @@
 import random
 import string
 import time
+import hmac
 
 from cryptography.fernet import Fernet, MultiFernet
 
@@ -57,13 +58,9 @@ def constant_time_compare(val1, val2):
     Returns True if the two strings are equal, False otherwise.
 
     The time taken is independent of the number of characters that match.
+    https://codahale.com/a-lesson-in-timing-attacks/
     """
-    if len(val1) != len(val2):
-        return False
-    result = 0
-    for x, y in zip(val1, val2):
-        result |= ord(x) ^ ord(y)
-    return result == 0
+    return hmac.compare_digest(bytes(val1), bytes(val2))
 
 
 # Encrypting Packer