I might be missing something, but wouldn't that code allow to guess the password length because it returns more quickly if the length doesn't match? As far as I can see, the following would give away less information:

  def is_equal(actual, submitted):
      result = 0
      for i in range(0, len(submitted)):
          result |= ord(actual[i % len(actual)]) ^ ord(submitted[i])
      return result == 0 and len(actual) == len(submitted)