I'm using a follow-up reply rather than delete in case this helps someone else.
The password field migrates over as text and gets encrypted (I assume) when loaded into the BC database.
I misunderstood the id field and thought that the email would be used as the username if the username was blank. You still need to add the username but the unique identifier used for the id field is the email if you leave the id field blank (doesn't relate to the username).
I tested migration insert by adding the password as '12345' and was able to login with the provisioned username - for what it's worth.