The patch to hash the new user tokens for #WordPress is in the #Debian 4.8.2-2 version of the package.
It will be in the #stretch security package once it has been reviewed and will be part of the 4.8.2 backported patches for Debian stretch.