The hash probably embeds date/time information into the hashed string. That would be my guess based on the last time I looked into a similar request.
Do you have credential policies configured so that the user must change their password at the next logon attempt? If so, maybe you could check to see if it has been modified:
admin:run sql query select eu.userid, tc.name as credentialtype, c.credmustchange from enduser as eu inner join credential as c on c.fkenduser=eu.pkid inner join typecredential as tc on c.tkcredential=tc.enum where c.credmustchange='t'
Another table you could check is the credentialhistory table. Could be useful if you aren't enforcing password changes but have enabled password history. Maybe something like:
admin:run sql query select eu.userid,tc.name as credentialtype, ch.changeid, ch.timechanged from enduser as eu inner join credentialhistory as ch on ch.fkenduser=eu.pkid inner join typecredential as tc on ch.tkcredential=tc.enum
HTH.
Regards,
Bill