On each _encrypt function call, we get different strings/encrypted passwords, so "matches" rule simply won't work.
I know it's possible to solve this by creating custom validation where we compare values of 2 password input fields, but I would like to know is there an elegant solution.