What is Drupal's default password encryption method?

Question

I am trying to figure out what is the security that Drupal 6/7 uses by default to store passwords. Is it MD5, AES, SHA? I have been unable to find anything.

Answer 1

Here is an example hash from Drupal 7:

• "pass" : "$S$Dxl65W9p07LfQU7jvy5CnsyDpMoLujiAgzy123khcg1OJi/P9pKS"

• The characters 0-2 are the type ( $S$ is Drupal 7 )

• The character 3 is the number of log2 rounds (X) based on the position of the char in this list: './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' So in our example 'D' would map to 15
• The characters 4-11 are the SALT
• The rest is a SHA512 hash using 2^X rounds.

• The binary result is then converted to a string using base64.

  $count = 1 << $count_log2;
  $hash = hash($algo, $salt . $password, TRUE);
  do { $hash = hash($algo, $hash . $password, TRUE);
  } while (--$count);

The whole process can be found in: mydrupalsite\includes\password.inc