Comment 1 for bug 843568

Using both Blowfish and SHA256 is not ideal as some users will have stronger passwords than others. We probably may use Blowfish as the main method. With regard of bulk user creation, we indeed can use SHA256 for speed, but upon the login of such user, after SHA256 verification, password hash will be replaced with generated Blowfish one. We might force conversion of existing MD5 passwords to Blowfish as well.