If they have the hashed password from the user database they verify it the same way the website does when you try to log in.

They run the guessed password through an algorithm and compare the output to the value from the database. If they match, the password will work to log into the website.