diff --git a/services/web/scripts/purge_legacy_passwords.js b/services/web/scripts/purge_legacy_passwords.js
new file mode 100644
index 0000000000..49caf1f8be
--- /dev/null
+++ b/services/web/scripts/purge_legacy_passwords.js
@@ -0,0 +1,40 @@
+const { db, waitForDb } = require('../app/src/infrastructure/mongodb')
+const { batchedUpdateWithResultHandling } = require('./helpers/batchedUpdate')
+const { UserAuditLogEntry } = require('../app/src/models/UserAuditLogEntry')
+const DRY_RUN = process.env.DRY_RUN !== 'false'
+
+const VARIANTS = [
+  {
+    query: { sharelatexHashedPassword: { $exists: true } },
+    update: { $unset: { sharelatexHashedPassword: true } },
+  },
+  {
+    query: { hashedPassword: { $regex: /^[0-9a-f]{64}$/ } },
+    update: { $unset: { hashedPassword: true } },
+  },
+]
+
+if (require.main === module) {
+  batchedUpdateWithResultHandling(
+    'users',
+    { $or: VARIANTS.map(variant => variant.query) },
+    async users => {
+      const userIds = users.map(user => user._id)
+      if (DRY_RUN) {
+        console.warn(`Running in dry-run mode. Skipping updates for ${userIds}`)
+        return
+      }
+      for (const userId of userIds) {
+        await UserAuditLogEntry.create({
+          userId,
+          operation: 'purge-legacy-password',
+          info: { script: true },
+        })
+      }
+      await waitForDb()
+      for (const { query, update } of VARIANTS) {
+        await db.users.updateMany({ _id: { $in: userIds }, ...query }, update)
+      }
+    }
+  )
+}