diff --git a/basic_auth.go b/basic_auth.go
index a14c27a..38ae943 100644
--- a/basic_auth.go
+++ b/basic_auth.go
@@ -102,9 +102,14 @@ func (b *basicAuth) simpleBasicAuthFunc(user, pass string, r *http.Request) bool
 	requiredUser := sha256.Sum256([]byte(b.opts.User))
 	requiredPass := sha256.Sum256([]byte(b.opts.Password))
 
+	// Combine user and pass hashes together into single byte
+	// array to ensure constant time comparison no matter the
+	// combination of user or pass matching.
+	givenUserPass := append(givenUser[:], givenPass[:]...)
+	requiredUserPass := append(requiredUser[:], requiredPass[:]...)
+
 	// Compare the supplied credentials to those set in our options
-	if subtle.ConstantTimeCompare(givenUser[:], requiredUser[:]) == 1 &&
-		subtle.ConstantTimeCompare(givenPass[:], requiredPass[:]) == 1 {
+	if subtle.ConstantTimeCompare(givenUserPass[:], requiredUserPass[:]) == 1 {
 		return true
 	}
 
diff --git a/go.mod b/go.mod
new file mode 100644
index 0000000..4b6a9f5
--- /dev/null
+++ b/go.mod
@@ -0,0 +1,3 @@
+module github.com/goji/httpauth
+
+go 1.17