diff --git a/radicale/auth.py b/radicale/auth.py
index 2fa2807..8ae493a 100644
--- a/radicale/auth.py
+++ b/radicale/auth.py
@@ -57,6 +57,8 @@ import base64
 import functools
 import hashlib
 import os
+import random
+import time
 from importlib import import_module
 
 
@@ -192,6 +194,8 @@ class Auth(BaseAuth):
                 line = line.strip()
                 if line:
                     login, hash_value = line.split(":")
-                    if login == user:
-                        return self.verify(hash_value, password)
+                    if login == user and self.verify(hash_value, password):
+                        return True
+        # Random timer to avoid timing oracles and simple bruteforce attacks
+        time.sleep(1 + random.random())
         return False