If the admin changes password_pbkdf2_default_rounds in config.ini, the encrypted password
is not updated to the new count when they login to the web interface.

This case should be handled as though an insecure password encryption was used and 
migrate_passwords is set to yes.


It looks like this can be done by making password.py:Password::needs_migration
check the number of rounds is < password_pbkdf2_default_rounds. Also change signature
of needs_migration to accept config argument so method can check against the
password_pbkdf2_default_rounds setting.