Adding users when using http-auth did so with plaintext password, updated so this now hashes the password even thought it's never used.
Updated adduser to check for existing user and use password hashing
If the password isn't used, I don't think we should be hashing it. We should be putting in some dummy text to show that it's unused.
If a user changes back to mysql-auth though then none of the users will work (they won't if they've updated passwords since then anyway but at least it's a chance). dummy data whilst shouldn't be an issue as people won't be able to auth against it if we don't encrypt it maybe something we don't want to do just in case someone finds a way to exploit this. If we do encrypt the dummy data then it means that everyone knows the passwords.
I'll vote to encrypt the provided password as we've been happy enough with the level of encryption this offers so far :)