Aren't the old passwords vulnerable as long as the Sha1 value is still around? Does it get deleted when converted to 512?
Yes, the old Sha1 is deleted on conversion.
any reason you didn't switch to something like bcrypt, scrypt, or PBKDF2?
Time. I only converted the data, I wasn't in the hashing code. At some point we'll upgrade the encoding to bcrypt or a successor. Time is always against us. We all have full time jobs, and my life in particular has been incredibly busy for the last nine months.
Once all the code is converted to Racket, this kind of thing will be much faster. Every Arc change requires painstakingly figuring out what each poorly-documented function and macro does.