@Gargron checking hashes for current users is a lost cause in my opinion. Warn them about emails maximum.

You should check the passwords at creation time only for future users. ;)