After a test on a local server which worked as expected, the public website has only recorded the maintenance account password. Lots of users have logged in and out since AES activation but the 'aes_passwords' table still has only one record.
Mcrypt is OK and the checkbox to record users password is checked. The key is stored in a file which was automatically created after saving the path in the settings page.
But if maintenance account password has been recorded, why not others?
Should the 'View passwords' permission be granted to roles I want the users' password to be recorded?