You can add a default null field for the new password hash.
At the time of successful authorization, you know the user's real password, so if the new password in the database is null, and the old hash matches, then save the new hash in a new field, and discard the field with the old password to null.
After a couple of months / six months / a year / choose_by_mood, cut out the code of the old hash and drop the column from the database. For everyone who wants to log in, but who has null instead of a password, write that you need to go through the password recovery procedure.
An active audience will not notice the change. Those who visit too infrequently will have to sacrifice and be forced to go through a longer procedure.

PS There was an idea in the forehead: just regenerate passwords and send notifications to users, but this is somehow not humane in relation to users.

IMHO the best solution.
- Regenerate everything to random passwords, and set the "change_password" flag in the database.
When you log in, just show an error that you need to use the "Recover password" function

The correct answer was given.
I will write bad.
Hash the hashes again with whatever you want.
When checking a password -> always convert to md5 first.
So you save passwords, though you have to code and think about where to stick so that md5 hashing works before hashing out of the box.
Middleware is probably the easiest way to hang up and make incoming md5 passwords, then start up further.