click-erp/user_password_migration.md

Steps for Lazy Migration: Add a Column: Add a hash_version or new_password column to your database to differentiate between legacy (MD5) and new hashes. Update Login Logic: User enters plaintext_password. Check if password_hash is MD5. If yes, check if (md5(plaintext_password) == stored_md5_hash). If matches, compute new_hash = password_hash(plaintext_password, PASSWORD_DEFAULT). Update database with new_hash and set hash_version to "new". Handle Remaining Users: After a set period, force a password reset for any remaining accounts still using the MD5 hash.