I was using a basic string comparison in the #checkPassword:against:
methods and I now understand that that is susceptible to a timing attack
on some systems (http://codahale.com/a-lesson-in-timing-attacks/). I'm
not sure these types of attack apply to Smalltalk environments or not
but its not hard to implement a constant time algorithm.
Instead of failing on the first unmatched character it reports
passing/failing after checking all characters in the hashes.
I think the new version is not susceptible to the timing attacks
mentioned in the linked article and if you use the package mentioned in
the subject you should update to the latest version.