At the moment Matomo stores passwords as password_hash(md5($user_password)). While this isn't a huge issue, this also isn't ideal.
To avoid this one could create a migration that adds some version string to this hash and then modifies the code to allow logging in with this modified old hash. In addition a new method could be created that uses password_hash directory (with some other version string).
Finally every time a user logs in, the password hash could be migrated from the old to the new method using the users password directly. (quite similar to the current setup with password_needs_rehash)