For user accounts with a password set in Beaker (that is, accounts which are not authenticated through LDAP or Kerberos) Beaker stores the password as an unsalted SHA1 hash. It should at least be salted with a unique salt per user. Nick has suggested using passlib to do the hard work of managing passwords correctly: http://pythonhosted.org/passlib/
I realised we can tackle this for new installations without solving the password migration problem by offering a config option that enables a fallback option that checks for an unsalted hash. So new installations would get salted hashes by default, while existing installations could enable the option to check for unsalted hash entries in the DB.
(In reply to Nick Coghlan from comment #2) Better yet, passlib makes it easy to support the old hashes but automatically upgrade them to new ones after a user successfully authenticates. So for existing installations, no unsalted hashes should ever be left hanging around unless the user never logs in. If a site admin is concerned about that, they can easily find old passwords using a database query and NULL them out to disable the account or reset the password.
On Gerrit: http://gerrit.beaker-project.org/2562
Beaker 0.16.0 has been released.
I guess this is related issue: https://bugzilla.redhat.com/show_bug.cgi?id=1078790
Yes, there was an issue during the upgrade where the web service was inadvertently made available before the database update was complete and a couple of accounts attempted to log in and corrupted their password data. The affected accounts have had their passwords reset.