Drupal 8 and Drupal 7 use SHA512 by default with a salt. They run the hash through PHP's hashfunction numerous times to increase the computation cost of generating a password's final hash (a security technique called stretching).

Drupal 8 和 Drupal 7 默认使用带盐的 SHA512。他们通过 PHP 的散列函数多次运行散列，以增加生成密码最终散列的计算成本（一种称为拉伸的安全技术）。

With Drupal 8, the implementation is object oriented. There is a PasswordInterfacewhich defines a hash method. The default implementation of that interface is in the PhpassHashedPasswordclass. That class' hashmethod calls the cryptmethod passing in SHA512 as the hashing algorithm, a password, and a generated salt. The class' crypt method is nearly the same as Drupal 7's _password_crypt()method.

Drupal 8 的实现是面向对象的。有一个PasswordInterface定义了一个哈希方法。该接口的默认实现在PhpassHashedPassword类中。该类的哈希方法调用crypt方法，传入 SHA512 作为哈希算法、密码和生成的盐。该类的 crypt 方法与 Drupal 7 的_password_crypt()方法几乎相同。

With Drupal 7, the implementation is split into a couple global functions: user_hash_password()and _password_crypt().

在 Drupal 7 中，实现分为几个全局函数：user_hash_password()和_password_crypt()。

Drupal 6 uses MD5 without a salt. The relevant function is user_save().

Drupal 6 使用没有盐的 MD5。相关函数是user_save()。

Here is an example hash from Drupal 7:

这是来自 Drupal 7 的示例哈希：

• "pass" : "$S$Dxl65W9p07LfQU7jvy5CnsyDpMoLujiAgzy123khcg1OJi/P9pKS"

• The characters 0-2 are the type ( $S$ is Drupal 7 )

• The character 3 is the number of log2 rounds (X) based on the position of the char in this list: './0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' So in our example 'D' would map to 15
• The characters 4-11 are the SALT
• The rest is a SHA512 hash using 2^X rounds.

• The binary result is then converted to a string using base64.

  $count = 1 << $count_log2;
  $hash = hash($algo, $salt . $password, TRUE);
  do { $hash = hash($algo, $hash . $password, TRUE);
  } while (--$count);

• "pass" : "$S$Dxl65W9p07LfQU7jvy5CnsyDpMoLujiAgzy123khcg1OJi/P9pKS"

• 字符 0-2 是类型（ $S$ 是 Drupal 7 ）

• 字符 3 是基于此列表中字符位置的 log2 轮数 (X)：'./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' 所以在我们的示例中，'D' 将映射到 15
• 字符 4-11 是 SALT
• 其余的是使用 2^X 轮的 SHA512 哈希。

• 然后使用 base64 将二进制结果转换为字符串。

  $count = 1 << $count_log2;
  $hash = hash($algo, $salt . $password, TRUE);
  做 { $hash = hash($algo, $hash . $password, TRUE);
  } while (--$count);

The whole process can be found in: mydrupalsite\includes\password.inc

整个过程可以在：mydrupalsite\includes\password.inc

It can be checked inside www\includes\password.inc

可以在 www\includes\password.inc 里面查看

function user_check_password($password, $account) {
  if (substr($account->pass, 0, 2) == 'U$') {
    // This may be an updated password from user_update_7000(). Such hashes
    // have 'U' added as the first character and need an extra md5().
    $stored_hash = substr($account->pass, 1);
    $password = md5($password);
  }
  else {
    $stored_hash = $account->pass;
  }

  $type = substr($stored_hash, 0, 3);
  switch ($type) {
    case '$S$':
      // A normal Drupal 7 password using sha512.
      $hash = _password_crypt('sha512', $password, $stored_hash);
      break;
    case '$H$':
      // phpBB3 uses "$H$" for the same thing as "$P$".
    case '$P$':
      // A phpass password generated using md5.  This is an
      // imported password or from an earlier Drupal version.
      $hash = _password_crypt('md5', $password, $stored_hash);
      break;
    default:
      return FALSE;
  }
  return ($hash && $stored_hash == $hash);
}

Its been clearly written that "// A normal Drupal 7 password using sha512."

它清楚地写着“//使用sha512的普通Drupal 7密码。”

For Drupal 6 core, the method uses MD5 and as I understand it, there isn't any salting used. For drupal 7 some more advanced hashing is used. A good article on it here - http://joncave.co.uk/2011/01/password-storage-in-drupal-and-wordpress/

对于 Drupal 6 核心，该方法使用 MD5，据我了解，没有使用任何加盐。对于 drupal 7，使用了一些更高级的散列。一篇关于它的好文章 - http://joncave.co.uk/2011/01/password-storage-in-drupal-and-wordpress/

drupal 8 is using Phpass (modified version)

drupal 8 正在使用 Phpass（修改版）

drupal 7 use SHA-512 + salt

drupal 7 使用 SHA-512 + 盐

drupal 6 and previous version were using md5 with no salt

drupal 6 和以前的版本使用没有盐的 md5