From what I remember on a large migration project with Members, I had lots of null passwords (the original site only had email addresses). We just imported via a bulk uploader and then emailed the list to go reset their passwords. It seems to work fine and users that don't have passwords in SilverStripe simply can't log in until they reset. Someone correct me if I'm wrong though.
And on an unrelated note how did Devlin get his code to indent?
I use tabs instead of spaces.
users that don't have passwords in SilverStripe simply can't log in
This seems correct. Well, as long as no one would remove the validator in the default login form.