Whenever I try to explain unit testing to another developer, I refer to the “smallest unit of work” that’s possible to test.
WordPress’ password creation/verification system is pluggable (meaning you can replace it with your own implementation). Before you do so, though, you should understand what’s already implemented and why.
Do you have an unrequested patch lying around somewhere? Put it on Trac; you might be surprised by the response!
What if a visitor uploads a file that’s too large for your system to handle?