diff --git a/internal/db/user.go b/internal/db/user.go
index 4c757d7..bb307f7 100644
--- a/internal/db/user.go
+++ b/internal/db/user.go
@@ -1,8 +1,8 @@
 package db
 
 import (
-	"bytes"
 	"crypto/rand"
+	"crypto/subtle"
 	"encoding/base64"
 	"errors"
 	"fmt"
@@ -111,8 +111,7 @@ func comparePassword(hashedPassword string, password string) (bool, error) {
 	computedHash := argon2.IDKey([]byte(password), salt, 2, 64*1024, 1, pwdHashSize)
 
 	// Compare the computed hash with the stored hash
-	// todo constant time?
-	return bytes.Equal(hash, computedHash), nil
+	return subtle.ConstantTimeCompare(hash, computedHash) == 1, nil
 }
 
 // DeleteUser deletes a user with the specified username from the database.