Drupal 8 and Drupal 7 use SHA512 by default with a salt. They run the hash through PHP's [hash][1] function numerous times to increase the computation cost of generating a password's final hash (a security technique called [stretching][2]).
With Drupal 8, the implementation is object oriented. There is a [PasswordInterface][3] which defines a hash method. The default implementation of that interface is in the [PhpassHashedPassword][4] class. That class' [hash][5] method calls the [crypt][6] method passing in SHA512 as the hashing algorithm, a password, and a generated salt. The class' crypt method is nearly the same as Drupal 7's [_password_crypt()][7] method.
With Drupal 7, the implementation is split into a couple global functions: [user_hash_password()][8] and [_password_crypt()][9].
Drupal 6 uses MD5 without a salt. The relevant function is [user_save()][10].
[1]:
[To see links please register here]
[2]:
[To see links please register here]
[3]:
[To see links please register here]
[4]:
[To see links please register here]
[5]:
[To see links please register here]
[6]:
[To see links please register here]
[7]:
[To see links please register here]
[8]:
[To see links please register here]
[9]:
[To see links please register here]
[10]:
[To see links please register here]