UsernamePasswordLoginModule uses String#equals(Object) to compare passwords or password hashes. This uses short circuit logic and stops comparing once a difference is found. This makes it vulnerable to timing attacks.
MessageDigest#isEqual has been updated to address the issue. Unfortunately MessageDigest#isEqual operates on byte instead of String wo we can't use it directly.