diff --git a/lib/SimpleSAML/Utils/Crypto.php b/lib/SimpleSAML/Utils/Crypto.php
index 79d7f814931cde7082ab2d0308a2cd9656034909..efd2aba4320b8334211986bb343d4df8ee79bc84 100644
--- a/lib/SimpleSAML/Utils/Crypto.php
+++ b/lib/SimpleSAML/Utils/Crypto.php
@@ -356,6 +356,9 @@ class Crypto
      */
     public static function pwValid(string $hash, string $password): bool
     {
+        if (!is_null(password_get_info($password)['algo'])) {
+            throw new Error\Exception("Cannot use a hash value for authentication.");
+        }
         if (password_verify($password, $hash)) {
             return true;
         }
diff --git a/tests/lib/SimpleSAML/Utils/CryptoTest.php b/tests/lib/SimpleSAML/Utils/CryptoTest.php
index 1dd32661b3b36dfc02be9db83b1fdefee3a19838..044eacbda07d87b189b81359d51971524033bd1e 100644
--- a/tests/lib/SimpleSAML/Utils/CryptoTest.php
+++ b/tests/lib/SimpleSAML/Utils/CryptoTest.php
@@ -165,6 +165,18 @@ PHP;
         $this->assertFalse($res);
     }
 
+    /**
+     * Check that hash cannot be used to authenticate ith.
+     */
+    public function testHashAsPwInvalid(): void
+    {
+        $pw = "password";
+
+        $hash = Crypto::pwHash($pw);
+        $this->expectException(Error\Exception::class);
+        $res = Crypto::pwValid($hash, $hash);
+    }
+
 
     /**
      */