diff --git a/api/views.py b/api/views.py
index bf11159b..c2ac4541 100644
--- a/api/views.py
+++ b/api/views.py
@@ -1,4 +1,5 @@
 from datetime import datetime, timedelta
+from hmac import compare_digest
 
 from decouple import config
 from django.conf import settings
@@ -558,11 +559,12 @@ class OrderView(viewsets.ViewSet):
                 if not valid:
                     return Response(context, status=status.HTTP_409_CONFLICT)
 
-                if order.password is not None and order.password != password:
-                    return Response(
-                        {"bad_request": "Wrong password"},
-                        status=status.HTTP_403_FORBIDDEN,
-                    )
+                if order.password is not None:
+                    if password is None or not compare_digest(order.password, password):
+                        return Response(
+                            {"bad_request": "Wrong password"},
+                            status=status.HTTP_403_FORBIDDEN,
+                        )
 
                 # For order with amount range, set the amount now.
                 if order.has_range:
diff --git a/tests/README.md b/tests/README.md
index 35ecf8b3..31fb8a51 100644
--- a/tests/README.md
+++ b/tests/README.md
@@ -2,6 +2,6 @@
 
 ```
 docker compose -f docker-tests.yml --env-file tests/compose.env up -d
-docker exec coordinator coverage run manage.py test
-docker exec coordinator coverage report
+docker exec test-coordinator coverage run manage.py test
+docker exec test-coordinator coverage report
 ```
\ No newline at end of file