Passwords set after MBS-9208 will use a more secure bcrypt hash, but the hash for older passwords will stay as it was, so they will be easier crackable. It’s not possible to create a new hash (with a higher cost factor) without the cleartext password, which we don’t store, so upgrading all password hashes in the background is not an option. However, on each login, the user provides us temporarily with the cleartext password; we could use this opportunity to gradually re-hash for all active accounts.