I'm not sure I agree that it would matter, but, either way, using a constant-time equality function might have given readers the impression that my code was safe to use. It isn't. That was never the intention. One of my main points was that it's extremely hard to do properly. My (pseudo-code) examples were intended to explain the concepts of salting and stretching. Perhaps it's unfortunate that they're actually valid Python.
People should use proven KDFs for password authentication, not implement their own (including using my SHA-salting/iteration examples.)
People should use proven KDFs for password authentication, not implement their own (including using my SHA-salting/iteration examples.)
Edit: removed "in web apps"