Re: So...institutionally insecure?
or
Add no bit to user table, but expand the password field so that it is large enough to store a bcrypt hash.
Then, on logon validation, look at the length of the stored hash. If length != 20 ** then assume bcrypt and proceed accordingly, but if length == 20 then assume SHA1, validate against the stored hash, and if it passes updated the stored hash with the bcrypted version of the same value. After a REASONABLE period of time expire and wipe any account still having an SHA1 hash in the database and if the user does comes back make them go through a password reset procedure to establish a new, secure password.
** or 40 if storing the hexidecimal string instead of the actual hash.