Ruby str_equal uses memcmp internally to compare String.
Memcmp is vunerable to timing attacks because it returns early
on mismatch (on most x32 platforms memcmp uses a bytewise comparision).
Devise.secure_compare implements a constant time comparision instead.