piwik stores passwords as unsalted MD5 hash
So, apparently there's a seven-year-old Github issue to improve the password hashing (you can confirm it's still unsalted MD5 with "SELECT password FROM piwik_user"). But it hasn't been implemented because they want backwards-compatibility with APIs or something. This means a not-too-difficult timing attack can probably be used to guess the password.
piwik is pretty awesome but this is just terrible security practice..
Saw this originally on https://news.ycombinator.com/item?id=10697045