@benjojo The only way I can make this make sense is if they started with encrypted passwords in their database and are migrating to unencrypted passwords for new accounts and using the first character of the password field to determine if a password is encrypted or not. Could be wrong, but I can't imagine any reason that doesn't amount to the website being hot garbage.