Using timingSafeEqual


I’ve seen code like this:

 if(password.length !== allowedPassword.length || !crypto.timingSafeEqual(password, allowedPassword)) 

So timingSafeEqual is supposed to use the same amount of time to compare 2 passwords, in order to prevent the attack to estimate the complexity of the password.

My question is, if the both passwords are not equal in length, the comparison will never run, so how does this help at all? If the comparison runs, then the attack knows the exact length of the password because the time is always the same, and if it doesn’t run he can estimate the complexity lol