At the moment passwords are escaped form before hashing is done. E.g.a & character is escaped to & before the md5 hash is calculated.

Because it is done when the password is set AND when the password is verified, everything seems to work as it should. But unless there is a strong reason to do the transformation I would suggest to hash the unescaped form because many forum systems probably use this form. (perhaps you know the phpBB 2.x forum software, which just uses the md5 over the original password )

Changing it now would prevent some broken passwords when the first official converters appear