diff --git a/addons/auth_crypt/auth_crypt.py b/addons/auth_crypt/auth_crypt.py
index 33bb82d49ef..11537cd4c85 100644
--- a/addons/auth_crypt/auth_crypt.py
+++ b/addons/auth_crypt/auth_crypt.py
@@ -11,23 +11,41 @@ default_crypt_context = CryptContext(
     # kdf which can be verified by the context. The default encryption kdf is
     # the first of the list
     ['pbkdf2_sha512', 'md5_crypt'],
+    # deprecated algorithms are still verified as usual, but ``needs_update``
+    # will indicate that the stored hash should be replaced by a more recent
+    # algorithm. Passlib 1.6 supports an `auto` value which deprecates any
+    # algorithm but the default, but Debian only provides 1.5 so...
+    deprecated=['md5_crypt'],
 )
 
 class res_users(osv.osv):
     _inherit = "res.users"
 
     def _crypt_context(self, cr, uid, id, context=None):
-        """ Passlib PasswordHash (or CryptContext) instance used to encrypt
-        and verify passwords. Can be overridden if technical, legal or
-        political matters require different kdfs than the provided default.
+        """ Passlib CryptContext instance used to encrypt and verify
+        passwords. Can be overridden if technical, legal or political matters
+        require different kdfs than the provided default.
+
+        Requires a CryptContext as deprecation and upgrade notices are used
+        internally
         """
         return default_crypt_context
 
+    def _store_encrypted_password(self, cr, uid, id, encrypted, context=None):
+        """
+        :param uid: id of the current user
+        :param id: id of the user on which the password should be set
+        """
+        cr.execute(
+            "UPDATE res_users SET password='', password_crypt=%s WHERE id=%s",
+            (encrypted, id))
+
     def set_pw(self, cr, uid, id, name, value, args, context):
         if value:
             encrypted = self._crypt_context(cr, uid, id, context=context)\
                 .encrypt(value)
-            cr.execute("update res_users set password='', password_crypt=%s where id=%s", (encrypted, id))
+            self._store_encrypted_password(
+                cr, uid, id, encrypted, context=context)
 
     def get_pw( self, cr, uid, ids, name, args, context ):
         cr.execute('select id, password from res_users where id in %s', (tuple(map(int, ids)),))
@@ -51,14 +69,17 @@ class res_users(osv.osv):
         if cr.rowcount:
             stored_password, stored_password_crypt = cr.fetchone()
             if stored_password and not stored_password_crypt:
-                stored_password_crypt = self._crypt_context(cr, uid, id).encrypt(stored_password)
-                cr.execute("UPDATE res_users SET password='', password_crypt=%s WHERE id=%s", (stored_password_crypt, uid))
+                stored_password_crypt = self._crypt_context(cr, uid, uid).encrypt(stored_password)
+                self._store_encrypted_password(cr, uid, uid, stored_password_crypt)
         try:
             return super(res_users, self).check_credentials(cr, uid, password)
         except openerp.exceptions.AccessDenied:
-            # check md5crypt
             if stored_password_crypt:
-                if self._crypt_context(cr, uid, id).verify(password, stored_password_crypt):
+                valid, replacement = self._crypt_context(cr, uid, uid)\
+                        .verify_and_update(password, stored_password_crypt)
+                if replacement:
+                    self._store_encrypted_password(cr, uid, uid, replacement)
+                if valid:
                     return
             # Reraise password incorrect
             raise