I am using a User model based on the one found in the basic and advanced app that uses password_hash. I’m having trouble finding the best practice for dealing with the creation and updating of a user model when the password is not set directly. I have tried using scenarios as well as creating a specific UserCreate form and creating the User object inside that but both of these approaches seem off.
Looking for suggestions on how others have handled this.
Advanced app already handles this, is there something wrong?
Please explain a little bit more 
.
Are you trying to use an other table in the database with the users and passwords ?
You want only to know how to do the crud for users or you already have them ?
IMO … best practices depend on a lot of things specific to your app and user requirements. If I understand correct, you do not want the user to set password during signup. For the Yii2 advanced app - you can set the password in the model this way:
// $user is the user model
$user->setPassword($attributes['password']);
Some more discussion on this in this discussion… in fact goes beyond the the topic of the discussion - to how models should be designed :-).