Mitigate Timing Attacks On Basic RPC Authorization
Eliminates the possibility of timing attacks by changing the way the two passwords are compared.
It iterates through each char in the strings, and if the two chars it is comparing aren't the same, then it adds 1 to nReturn and the function, once it's done comparing all the chars, will return false. Previously, the function would return false on the first char that didn't match, allowing a possible attacker to run a timing attack.
See
https://github.com/bitcoin/bitcoin/pull/2886
http://rdist.root.org/2010/01/07/timing-independent-array-comparison/
for more detailed explanation.