Currently, password hashes are compared by looping over the hash and stopping on the first mismatch. In theory an attacker can launch a timing attack.
I don't think it's a problem by itself in practice, but it might in combination with other issues. For example, if the hash algorithm is somewhat broken, or the salt is known to the attacker.
But anyway, it's easy to fix, so I think it should be fixed.