Using this would implicate that the authenticate() method always first needs to check if the MD5 hash is unsalted and allow a login if it is.
Yes, the 'migrate' passwordstyle would only be as secure as the 'old' style (in fact even less as there are two valid hash values instead of one). Only ...

Yes, but we would need to use the fallback method also for the new logins in the core

Yes, but I think it doesn't hurt.

Ok I try to express mself in code - please excuse if it doesn't run out of the box but I'm C# guy who transfers old perl knowledge to PHP here. :wink:

authenticate($user ...

Ok, Plugins make things a bit more complicated but I still think it is worth thinking about it.

I don't know about s9y internals but how about using (and recommending for plugins) a method like

authenticate(user, password, passwordstyle){
...
}

where passwordstyle is a configurable option with ...

Hi there,
I just found out that that s9y is using 'unsalted' MD5-Hashes to store the passwords into the database.
I found out because another user is using the same password as me which results in the same hash.
It is a common techniqe to "salt" the passwords by concatenating them with the user name ...