[Karunamon]

Eh. The analytics data is pretty low value as far as hacker targets, and this can be mostly mitigated anyways by sane segregation of the admin backend from the publicly accessible site.

There's an open ticket for it, but it looks like it hasn't been addressed in a while since they don't want to break all existing passwords.

https://github.com/piwik/piwik/issues/5728

[sarciszewski]

This is a solved problem.

http://security.stackexchange.com/a/31439/43688

https://www.reddit.com/r/PHP/comments/3lwxlw/hash_and_verify...

[ascorbic]

A low value target maybe, but having a critical security ticket open for seven years is unforgivable. If they don't want to break compatibility it's pretty simple: use something like PHPass and upgrade the hash when the user next logs in. i.e. what every halfway sensible web app did at least five years ago.

[jacquesm]

It does not have to break all existing passwords. Just add an envelope for the old passwords.