I don't think this is a bug. The password_format configuration only applies to db_ext auth types (the variable is $auth['db_ext']['password_format']). It is assumed that users in an external database are edited by an external tool.
Campbell
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I don't think this is a bug. The password_format configuration only applies to db_ext auth types (the variable is $auth['db_ext']['password_format']). It is assumed that users in an external database are edited by an external tool.
Campbell
The only thing that could be said additionally to this is that MD5 is now considered by some to be insecure, we should consider moving to SHA1/SHA512.