That is indeed how it should go, the hash must be something unique with which you can identify the user. For example you could create a hash of the email address and the current password hash to verify the user.
{{ user.email.sha1(user.password) }}
When the user is verified you can safely update the password field with the hash of the new password supplied by the user.