In includes/acp/acp_users.php you can found in line 838 this code:

$update_password = ($data['new_password'] && !phpbb_check_hash($user_row['user_password'], $data['new_password'])) ? true : false;

But the parameters for phpbb_check_hash are interchanged so that it will always return a wrong result.