Sometimes websites deny a password change because the new password is "similar" to the old one, How do they know that, if all they got is a hash that should be completely different if even 1 character was changed?