To compare the hashed password with the one provided by the user there is the util StringUtil
provided by the Symfony.
The documentation speaks about the "timing attacks": an attacker may have useful information about the complexity of the password observing the time needed to a website to compare the provided password with the one it stores.
The documentation says also that
To avoid timing attacks, the known string must be the first argument and the user-entered string the second.
Why does the order matter?