Recently, we took over a Magento 2 project where data was migrated from an older Magento 1 instance. The merchant complained that after the migration some customers are not able to log in anymore. Even a password reset did not work.
It took us a while to figure out what was going on: Apparently, Magento 2 does not store passwords in an EAV attribute anymore but stores them in the customer_entity database table. During the customer log-in, the code will check if an EAV attribute "password_hash" exists and use that for the password check. If the attribute is not set for the customer the hash stored in the customer_entity database table is taken into account. The customers that could not log in properly had the EAV attribute set and thus could not log in because the password comparison failed due to the different hashing algorithms used in the different Magento versions.
The fix was easy: Delete the password_hash EAV attribute for all customers that have it set:
DELETE FROM customer_entity_varchar WHERE attribute_id IN (SELECT attribute_id from eav_attribute WHERE attribute_code = 'password_hash');