No subject

site, go to a special page, enter their username and their old
password and a new password (which can be the same if they like). This
is a one off. After that they use the site as normal with their new
password.

What is really going on is that for the old users we keep a note that
they have an old htpasswd-style password hash. When they go to the
special password change page, we authenticate them using http basic
auth using their old password. We set their new digest passwd and
delete their old basic auth. This ought to be able to be done without
affecting the core features, as a separate "hackage feature", storing
the old htpasswd stuff separately.

Duncan