If a storage scheme is configured as deprecated, which can be done using the deprecated-password-storage-scheme property in the password policy configuration, any user who authenticates using a password encoded with that scheme using a mechanism that provides the server with access to the clear-text representation of that password automatically has their password re-encoded using the default scheme. This provides an excellent way to transparently migrate user passwords from weaker encodings to stronger ones without requiring users to change their passwords.

See the config/sample-dsconfig-batch-files/deprecate-weak-password-storage-schemes.dsconfig batch file for more information about deprecating password storage schemes.