What is Drupal's default password encryption method?

I am trying to figure out what is the security that Drupal 6/7 uses by default to store passwords. Is it MD5, AES, SHA? I have been unable to find anything.

Drupal 8 and Drupal 7 use SHA512 by default with a salt. They run the hash through PHP's [hash][1] function numerous times to increase the computation cost of generating a password's final hash (a security technique called [stretching][2]).

With Drupal 8, the implementation is object oriented. There is a [PasswordInterface][3] which defines a hash method. The default implementation of that interface is in the [PhpassHashedPassword][4] class. That class' [hash][5] method calls the [crypt][6] method passing in SHA512 as the hashing algorithm, a password, and a generated salt. The class' crypt method is nearly the same as Drupal 7's [_password_crypt()][7] method.

With Drupal 7, the implementation is split into a couple global functions: [user_hash_password()][8] and [_password_crypt()][9].

Drupal 6 uses MD5 without a salt. The relevant function is [user_save()][10].


[1]:

[To see links please register here]

[2]:

[To see links please register here]

[3]:

[To see links please register here]

[4]:

[To see links please register here]

[5]:

[To see links please register here]

[6]:

[To see links please register here]

[7]:

[To see links please register here]

[8]:

[To see links please register here]

[9]:

[To see links please register here]

[10]:

[To see links please register here]

Here is an example hash from Drupal 7:

- "pass" : "$S$Dxl65W9p07LfQU7jvy5CnsyDpMoLujiAgzy123khcg1OJi/P9pKS"

- The characters 0-2 are the type ( $S$ is Drupal 7 )
- The character 3 is the number of log2 rounds (X) based on the position of the char in this list:
'./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' So in our example 'D' would map to 15
- The characters 4-11 are the SALT
- The rest is a SHA512 hash using 2^X rounds.
- The binary result is then converted to a string using base64.

$count = 1 << $count_log2;
$hash = hash($algo, $salt . $password, TRUE);
do { $hash = hash($algo, $hash . $password, TRUE);
} while (--$count);

The whole process can be found in:
mydrupalsite\includes\password.inc

It can be checked inside www\includes\password.inc

function user_check_password($password, $account) {
if (substr($account->pass, 0, 2) == 'U$') {
// This may be an updated password from user_update_7000(). Such hashes
// have 'U' added as the first character and need an extra md5().
$stored_hash = substr($account->pass, 1);
$password = md5($password);
}
else {
$stored_hash = $account->pass;
}

$type = substr($stored_hash, 0, 3);
switch ($type) {
case '$S$':
// A normal Drupal 7 password using sha512.
$hash = _password_crypt('sha512', $password, $stored_hash);
break;
case '$H$':
// phpBB3 uses "$H$" for the same thing as "$P$".
case '$P$':
// A phpass password generated using md5. This is an
// imported password or from an earlier Drupal version.
$hash = _password_crypt('md5', $password, $stored_hash);
break;
default:
return FALSE;
}
return ($hash && $stored_hash == $hash);
}

Its been clearly written that "// A normal Drupal 7 password using sha512."

drupal 8 is using Phpass (modified version)

drupal 7 use SHA-512 + salt

drupal 6 and previous version were using md5 with no salt

For Drupal 6 core, the method uses MD5 and as I understand it, there isn't any salting used. For drupal 7 some more advanced hashing is used. A good article on it here -

[To see links please register here]

Here is the links I found from drupal.org:

[To see links please register here]

[To see links please register here]