currently Piwik stores the user-password with bad encryption in the database. The password is just 1 time md5-crypted. But: The md5-Algorithm is nowadays considered insecure. If a hacker gains access to the database, he can easily crack all the userpasswords. There is a salt in the config-file, but it seems as if the salt isn’t even used. Please consider revising this point.
Also, please consider moving from md5 as the default cryptor to a more secure crypter or even a crypting-engine like phpass ( Portable PHP password hashing (“password encryption”) framework ).
I didn’t find the correct line of code for this, but I was afraid as I used a basic md5 of my password and found that in the database.