diff --git a/django/contrib/auth/models.py b/django/contrib/auth/models.py
index ec3af633bd..8fcbdef6e8 100644
--- a/django/contrib/auth/models.py
+++ b/django/contrib/auth/models.py
@@ -10,6 +10,7 @@ from django.contrib.contenttypes.models import ContentType
 from django.utils.encoding import smart_str
 from django.utils.hashcompat import md5_constructor, sha_constructor
 from django.utils.translation import ugettext_lazy as _
+from django.utils.crypto import constant_time_compare
 
 
 UNUSABLE_PASSWORD = '!' # This will never be a valid hash
@@ -39,7 +40,7 @@ def check_password(raw_password, enc_password):
     encryption formats behind the scenes.
     """
     algo, salt, hsh = enc_password.split('$')
-    return hsh == get_hexdigest(algo, salt, raw_password)
+    return constant_time_compare(hsh, get_hexdigest(algo, salt, raw_password))
 
 def update_last_login(sender, user, **kwargs):
     """