I have disabled users in my project as well - it works great for an importer when something just doesn't quite import as a resource belonging to something (flukes happen).
However, why is it so hard to make sure that a disabled user is actually disabled... I mean, even just setting the password to NULL would result in no possible SHA-256 hash matching (and I use hashing more advanced than SHA-256 alone BTW, just saying for sake of argument here). Instead, some idiot set the password to disabled1system1user6708 hoping that nobody would ever figure it out. Which might have somehow still actually worked because reversing a hash is hard, had they not left it in plain text in the package.
However, why is it so hard to make sure that a disabled user is actually disabled... I mean, even just setting the password to NULL would result in no possible SHA-256 hash matching (and I use hashing more advanced than SHA-256 alone BTW, just saying for sake of argument here). Instead, some idiot set the password to disabled1system1user6708 hoping that nobody would ever figure it out. Which might have somehow still actually worked because reversing a hash is hard, had they not left it in plain text in the package.