I've been working on implementing bcrypt-ruby and have been reading about timing attacks, particularly your article here:

http://codahale.com/a-lesson-in-timing-attacks/

I notice that Devise (popular gem that uses bcrypt-ruby) implements a constant-time comparison algorithm in conjunction with bcrypt-ruby:

https://github.com/plataformatec/devise/blob/master/lib/devise.rb#L424

I also notice that bcrypt-ruby's BCrypt class inherits from Ruby's String class, and the BCrypt#== method simply calls up to super, thus comparing strings using Ruby's String#== method, which I assume is not a constant-time comparison algorithm.

Should BCrypt handle this constant time issue in it's comparison method?