I recently found out that piwik also uses a login token of the MD5 of the password[0]. So this mistake is still very prevalent.
If you want to provide a one-click automatic login to Piwik for your users, you can use the ‘logme’ mechanism, and pass their login & the md5 string of their password in the URL parameters:
That's actually a whole lot worse than the AM version here. The MD5 hashes themselves are usable as valid password!
And the cracking of the MD5 hash back to original password is fully amenable to rainbow tables. All you need is hashes which you can extract from DB or webserver logs... Or sslstrip'd/HTTP traffic if that's possible.
If you want to provide a one-click automatic login to Piwik for your users, you can use the ‘logme’ mechanism, and pass their login & the md5 string of their password in the URL parameters:
https://stats.example.org/index.php?module=Login&action=logm...
[0] - http://piwik.org/faq/how-to/#faq_30