diff --git a/typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php b/typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php
index 0bb6bb884c46b3855aa1b56262bb35e96a8647a4..4073da2b6440e036dcb5f87c0150aa04dbc00843 100644
--- a/typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php
+++ b/typo3/sysext/saltedpasswords/Classes/SaltedPasswordService.php
@@ -135,13 +135,13 @@ class SaltedPasswordService extends \TYPO3\CMS\Sv\AbstractAuthenticationService
                     $this->authenticationFailed = true;
                 }
             } elseif (preg_match('/[0-9abcdef]{32,32}/', $user['password'])) {
-                $validPasswd = md5($password) === (string)$user['password'];
+                $validPasswd = \hash_equals(md5($password), (string)$user['password']);
                 // Skip further authentication methods
                 if (!$validPasswd) {
                     $this->authenticationFailed = true;
                 }
             } else {
-                $validPasswd = (string)$password !== '' && (string)$password === (string)$user['password'];
+                $validPasswd = (string)$password !== '' && \hash_equals((string)$user['password'], (string)$password);
             }
             // Should we store the new format value in DB?
             if ($validPasswd && (int)$this->extConf['updatePasswd']) {