If you throw an exception inside of User::setPassword(), you'll end up with an entry like this in your logs:
#0 /path/1.18wmf1/includes/specials/SpecialUserlogin.php(413): User->setPassword('passwordzomg')
This is pretty bad, since we don't want to leak a user's password to system administrators.
Version: 1.22.0
Severity: normal