Technically, a user is not “using” the legacy password hash.
When a user logs in for the first time after a migration, and the password does not match the Discourse password (which will be a random string of characters initially), the plugin does its work.
- it checks if the entered password does match the
import_passcustom fields using all hash methods it knows about - if it finds a match, it saves the password to the user and then removes the
import_passcustom field.
So after a few years, only the users who did not “use” the migrated password to login will still have a import_pass custom field.
a) they never logged in (you can check that with the last seen date)
b) they didn’t use the migrated password but logged in using email, a different auth method, or they have reset their password
I just realized that situation b can introduce a security issue. If a user does not remember their password and changes it, or if they use another auth method, the migrated password hash will still be there and can still be used next to the new password. I have just pushed an update to the plugin so it clears the import_pass custom field on every successful login.
So going forward, the import_pass custom field will only be there for users who never logged in.