Symfony version(s) affected: 4.4.0

Description
I'm getting an exception thrown when a user who has no password set at all (their password field is null, they use another method to log in) attempts to change their password:

I'm not sure if this will be considered a bug, but I don't think that passwordEncoders should assume that the value stored as the password will always be a string.

From looking at the code, it seems that needsRehash() is perhaps the only method which makes that assumption. I was about to suggest to allow non-string values in needsRehash(), but in this particular case, needsRehash() is called as part of checking the supplied password for validity:

Presumably, this is to avoid extra checks with other encoders if the password hash appears valid to the current encoder. This doesn't seem necessary, so perhaps just removing this check would be acceptable?

Alternatively, perhaps $encoded could be cast to string in that call?

How to reproduce

1. Create a user without a password.
2. Try logging in with that user with a password.