Not strictly necessary for our threat model, since we won't be
continuously trying to decrypt an attacker's files, which means a timing
attack shouldn't be possible. It's still overall more correct.
Constant time implementation borrowed from [1], but most constant time
memcmp implementations I've seen used similar techniques.
[1] https://github.com/veorq/cryptocoding#compare-secret-strings-in-constant-time