```Python
if not (credentials.username == "stanleyjobson") or not (credentials.password == "swordfish"):
    # Return some error
    ...
```

But by using the `secrets.compare_digest()` it will be secure against a type of attacks called "timing attacks".

### Timing Attacks { #timing-attacks }

But what's a "timing attack"?

Let's imagine some attackers are trying to guess the username and password.

        "Guava cannot securely create temporary files or directories under SDK versions before"
            + " Jelly Bean. You can create one yourself, either in the insecure default directory"
            + " or in a more secure directory, such as context.getCacheDir(). For more information,"
            + " see the Javadoc for Files.createTempDir().";

    @Override
    File createTempDir() {
      throw new IllegalStateException(MESSAGE);

- name: authx
  html_url: https://github.com/yezz123/authx
  stars: 978
  owner_login: yezz123
  owner_html_url: https://github.com/yezz123
- name: secure
  html_url: https://github.com/TypeError/secure
  stars: 942
  owner_login: TypeError
  owner_html_url: https://github.com/TypeError
- name: titiler
  html_url: https://github.com/developmentseed/titiler
  stars: 940

        assertArrayEquals("password123".toCharArray(), (char[]) passwordValue, "Password content should match");
    }

    @Test
    @DisplayName("Test secure password wipe")
    void testSecureWipePassword() throws Exception {
        String testPassword = "testPassword123";
        authenticator = new NtlmPasswordAuthenticator("DOMAIN", "username", testPassword);

            boolean result = response.verifySignature(buffer, 0, 100);

            assertTrue(result);
        }

        @Test
        @DisplayName("Should verify signature on error when secure negotiate required")
        void testVerifySignatureErrorWithSecureNegotiate() {
            byte[] buffer = new byte[100];
            response.setDigest(mockDigest);

     * This method searches for 'fess_ds++.xml' configuration files within JAR files
     * in the data store plugin directory and extracts component class names.
     *
     * <p>The method uses secure XML parsing features to prevent XXE attacks and
     * other XML-based vulnerabilities. Component class names are extracted from
     * the 'class' attribute of 'component' elements in the XML files.</p>
     *

    /** Local process ID for SMB messages */
    protected int localPid = -1;
    /** Local timezone for time calculations */
    protected TimeZone localTimeZone;
    /** Secure random generator for cryptographic operations */
    protected SecureRandom random;
    /** Whether to use command batching for improved performance */
    protected boolean useBatching = false;

                    this.auth.getUsername(), this.workstation, this.ntlmsspFlags);
        }

        // Use secure password handling
        String passwordString = null;
        if (this.auth.isGuest()) {
            passwordString = this.transportContext.getConfig().getGuestPassword();
        } else {

 * host platform (like Android). In July 2018 Android had 134 trusted root certificates for its HTTP
 * clients to trust.
 *
 * For example, in order to establish a secure connection to `https://www.squareup.com/`,
 * these three certificates are used.
 *
 * ```
 * www.squareup.com certificate:
 *
 * Common Name: www.squareup.com

 *
 *  * call ([callStart], [callEnd], [callFailed])
 *    * proxy selection ([proxySelectStart], [proxySelectEnd])
 *    * dns ([dnsStart], [dnsEnd])
 *    * connect ([connectStart], [connectEnd], [connectFailed])
 *      * secure connect ([secureConnectStart], [secureConnectEnd])
 *    * connection held ([connectionAcquired], [connectionReleased])
 *      * request ([requestFailed])
 *        * headers ([requestHeadersStart], [requestHeadersEnd])