Use a salted hash of the lock passphrase instead of plain text and do

Use a salted hash of the lock passphrase instead of plain text and do
constant-time comparisons of it. Should prevent leaking any information about
it via timing, pointed out by Ryan Castellucci.  Add a 0.1s incrementing delay
for each failed unlock attempt up to 10s.  ok markus@ (earlier version), djm@