If you are doing an md5 string comparison with "==" instead of "===", all strings that begin with "0e" will be considered identical, as reported here:

http://stackoverflow.com/questions/22140204/why-md5240610708-is-equal-to-md5qnkcdzo
http://stackoverflow.com/questions/12598407/php-expresses-two-different-strings-to-be-the-same

Example:

var_dump(md5('240610708') == md5('QNKCDZO'));

output: bool(true)

That is so because the hashes evaluate to 0e462097431906509019562988736854 and 0e830400451993494058024219903391, respectively. When you use ==, each is converted to a numeric representation because of the e (scientific notation), so they each become 0. 0 == 0 is true. On the other hand, this:

md5('240610708') === md5('QNKCDZO')

...returns false because the string values are different. === forces type-sensitive comparison.

An example of this in eZ Publish can be found in ezpublish_legacy/kernel/classes/ezcodetemplate.php:

...
$originalMD5 = md5_file( $filePath );
$updatedMD5 = md5_file( $tempFile );
if ( $originalMD5 == $updatedMD5 )
{
...

Steps to reproduce:

A visible effect of this can be reproduced by:

1. Alter a user's password and enter "0e123";
2. Confirm the password: "0e456";

The password will be changed. Should have returned an error message instead:

The draft could not be stored.

Required data is either missing or is invalid:
User account: The passwords do not match.

The code in ezpublish_legacy/kernel/classes/datatypes/ezuser/ezuser.php seems to be responsible for this:

...
if ( eZUser::validatePassword( $password ) and
             $password == $passwordConfirm ) // Cannot change login or password_hash without login and password
...