You shouldn’t use these hooks for that. If you wan’t to use the same password for some other app, then it’s crucial, that the password will always be the same.
So the best way will be to make sure it will be always true. How? By taking care of that.
WordPress uses wp_set_password function every time the password is changed. There are no hooks inside of it (https://core.trac.wordpress.org/browser/tags/5.1.1/src/wp-includes/pluggable.php#L0), but it’s pluggable – so you can write your own version of it. So do it:
function wp_set_password( $password, $user_id ) {
// Keep original WP code
global $wpdb;
$hash = wp_hash_password( $password );
$wpdb->update(
$wpdb->users,
array(
'user_pass' => $hash,
'user_activation_key' => '',
),
array( 'ID' => $user_id )
);
wp_cache_delete( $user_id, 'users' );
// and now add your own
$script_db = new wpdb('db', 'pass', 'user', 'localhost');
$custom_hash = password_hash( $password, PASSWORD_DEFAULT );
$userdata = get_userdata( $user_id );
$script_db->update(
'np_users',
array( 'password' => $custom_hash ),
array( 'email' => $userdata->user_email )
);
}
This way the password will always be synchronized. (For example your code would break the passwords if admin changed the password for user).
You also don’t have to store second hash as user meta. And it performs less queries – you don’t have to select user by email and then update the password using his ID – you can just run the update.
All you need to do is to put that function in your plugin.