Some malformed hashes will “validate” with any value compared using password_verify. This is due to an old hack in PHP’s Blowfish implementation where a malformed hash with a $ character in the salt segment result in an early break and bad following logic.