diff --git a/svr-authpasswd.c b/svr-authpasswd.c
index 7a5a1210235d62fd06bbac94e10d18da57bbf35c..0153a53563948ccd478bc0c25c799e854a53798e 100644
--- a/svr-authpasswd.c
+++ b/svr-authpasswd.c
@@ -33,6 +33,8 @@
 
 #ifdef ENABLE_SVR_PASSWORD_AUTH
 
+/* not constant time when strings are differing lengths. 
+ string content isn't leaked, and crypt hashes are predictable length. */
 static int constant_time_strcmp(const char* a, const char* b) {
 	size_t la = strlen(a);
 	size_t lb = strlen(b);