Fortunately a quick fix is to first go through a cryptographically secure trapdoor function that makes the initial check security time invariant, like with sha256 with a random salt, before checking exact byte matching.

This is an old (and unpopular) countermeasure for simple string timing attacks, but that's not what this article is talking about and that countermeasure isn't reasonable in most of the cases Kettle is talking about.