He's gambling on the fact that people will not expect and therefor notice that $password is evaluating to something different on the first call.

I think he'd manage to confuse someone for a while with his smoke and mirrors. Which is a problem — because this must not be documented, you can bet there's going to be at least one person will be freaked out, whether or not a cracker ever sees it: the maintenance programmer.