Attached is an unrelated patch which addresses most of point (c).

This patch adds a .dummystr() method to the Password class, which 
returns a string containing the password's scheme, eg "
{SHA}*encrypted*". This patch updates the journal code so dummystr() is 
all that's stored in the password's history for any future password 
changes. It also updates the templating code so dummystr() is all that's 
displayed for past passwords still stored in journal, as well as when 
displaying the current password (for uniformity). 

I would have used the string "*encrypted*", but when stored in the 
journal, that string gets re-hashed when the history was displayed, 
which was somewhat confusing to the user, and wasted processing time. 

The one thing in point (c) this doesn't fix is that some code needs to 
be written to clean up existing journal entries to replace existing hash 
references with "{SHA}*encrypted*" - they won't be displayed on the web 
interface, but currently will remain in db.