Now that you mention it, I remember that too. Seems weird, I don't know why you'd have some passwords hashed in other ways. Even if you've migrated, why not migrate everyone at once?

You need the user to login once to get their raw password to rehash it. Unless you like rewrapping old hashes in every new one as it comes along.

Yep, exactly. You wrap them all in the new one, and migrate when the user next logs in.

The users table would surely contain more things than just usernames and bcrypt-hashed passwords.

Sure, and even if the passwords stay secure this is bad for users.

But I'm specifically reacting to "hashed passwords (the vast majority with bcrypt)". That's the sort of thing that's usually code for "except the ones which are horribly secured and will be compromised in a week".