diff --git a/bot/access.go b/bot/access.go
index 5121b64..74fc61e 100644
--- a/bot/access.go
+++ b/bot/access.go
@@ -6,6 +6,8 @@ import (
 
 	"gitlab.com/etke.cc/go/mxidwc"
 	"maunium.net/go/mautrix/id"
+
+	"gitlab.com/etke.cc/postmoogle/utils"
 )
 
 func parseMXIDpatterns(patterns []string, defaultPattern string) ([]*regexp.Regexp, error) {
@@ -78,5 +80,5 @@ func (b *Bot) AllowAuth(mailbox, password string) bool {
 		return false
 	}
 
-	return cfg.Password() != "" && cfg.Password() == password
+	return utils.Compare(password, cfg.Password())
 }
diff --git a/bot/command.go b/bot/command.go
index 26242e5..710c0b2 100644
--- a/bot/command.go
+++ b/bot/command.go
@@ -76,7 +76,6 @@ func (b *Bot) initCommands() commandList {
 		{
 			key:         roomOptionPassword,
 			description: "Get or set SMTP password of the room's mailbox",
-			sanitizer:   func(s string) string { return strings.TrimSpace(s) },
 			allowed:     b.allowOwner,
 		},
 		{allowed: b.allowOwner}, // delimiter
diff --git a/bot/command_owner.go b/bot/command_owner.go
index 6d979a6..3d1490a 100644
--- a/bot/command_owner.go
+++ b/bot/command_owner.go
@@ -62,12 +62,17 @@ func (b *Bot) getOption(ctx context.Context, name string) {
 	msg := fmt.Sprintf("`%s` of this room is `%s`\n"+
 		"To set it to a new value, send a `%s %s VALUE` command.",
 		name, value, b.prefix, name)
+	if name == roomOptionPassword {
+		msg = msg + "\n\n---\n\n" +
+			"**Please, remove that message after reading.**"
+	}
 	b.SendNotice(ctx, evt.RoomID, msg)
 }
 
+//nolint:gocognit
 func (b *Bot) setOption(ctx context.Context, name, value string) {
 	cmd := b.commands.get(name)
-	if cmd != nil {
+	if cmd != nil && cmd.sanitizer != nil {
 		value = cmd.sanitizer(value)
 	}
 
@@ -104,5 +109,10 @@ func (b *Bot) setOption(ctx context.Context, name, value string) {
 		return
 	}
 
-	b.SendNotice(ctx, evt.RoomID, fmt.Sprintf("`%s` of this room set to `%s`", name, value))
+	msg := fmt.Sprintf("`%s` of this room set to `%s`", name, value)
+	if name == roomOptionPassword {
+		msg = msg + "\n\n---\n\n" +
+			"**Please, remove that message and the previous one.**"
+	}
+	b.SendNotice(ctx, evt.RoomID, msg)
 }
diff --git a/utils/utils.go b/utils/utils.go
index 93271da..a002cd4 100644
--- a/utils/utils.go
+++ b/utils/utils.go
@@ -1,6 +1,7 @@
 package utils
 
 import (
+	"crypto/subtle"
 	"strconv"
 	"strings"
 )
@@ -33,3 +34,24 @@ func Bool(str string) bool {
 func SanitizeBoolString(str string) string {
 	return strconv.FormatBool(Bool(str))
 }
+
+// Compare strings with constant time to prevent timing attacks
+func Compare(actual, expected string) bool {
+	actualb := []byte(actual)
+	expectedb := []byte(expected)
+
+	if expected == "" {
+		// Just to keep constant time
+		_ = subtle.ConstantTimeCompare(expectedb, expectedb) == 1
+		return false
+	}
+
+	// actual comparison
+	if subtle.ConstantTimeEq(int32(len(actual)), int32(len(expected))) == 1 {
+		return subtle.ConstantTimeCompare(actualb, expectedb) == 1
+	}
+
+	// Just to keep constant time
+	_ = subtle.ConstantTimeCompare(expectedb, expectedb) == 1
+	return false
+}