But imagine the loop would be the string we know (i.e. the password). Looping through the 10-character pass should be identical every time, regardless of what the user entered.
I imagine the strlen() function is not constant-timed, so I'd remove it, but it might work yes (but you'd have to check PHP's source code and have a deep understanding of it to really be sure).
libc `strlen()` is O(n), but PHP strings are binary safe (i.e. http://3v4l.org/47iaP ) so it must be storing a length as part of the string zval. So PHP strlen should be constant time.
+1 for recommending checking the PHP source code to be sure, though
But imagine the loop would be the string we know (i.e. the password). Looping through the 10-character pass should be identical every time, regardless of what the user entered.