If you want to not leak length, compare a pre-hashed value. Attacker can know how long to hash their input but (and use a timing-safe comparision for the hashes; somewhere else has a hash + random salt method that doesn鈥檛 require a timing safe equals since the target value is randomly permutated) can鈥檛 know how even how long the target string is.