At some point all passwords are plain text, be it on the client or whatever, they could simply check it before it is encrypted and stored, even on the client end if they wanted to.