Improve security of SFTP server against timing attacks

Use a constant time string comparison for password auth and only keep a hash of the password in memory.