There is an article on this - https://forum.vbulletin.com/articles...sword-handling

vBulletin 5.6.X will use either Bcrypt or Argon2id depending on your server configuration. Argon2id is generally considered more secure than Bcrypt. There is no password field because we never store a password in the database. vBulletin 5 doesn't actually generate salts either. Doing this is considered insecure today. Instead the password_hash function of PHP will create a SALT every time it creates a new hash. No two hashes from the same user should use the same salt.

The password hash, salt, and method of hashing are stored in the token field within the user table.

To facilitate logins from vBulletin 3 and 4 users after an upgrade, there is also a Legacy password scheme. This is used to match the password on the md5(md5(password)+salt) scheme that these systems used with the user's first login. The password that was sent will then be re-hashed as one of the secure methods supported. MD5 should not be considered completely secure in 2020. We recommend against using the Legacy scheme permanently in a live environment.

You can see the code for vBulletin Password hashing by downloading the Non-PHAR version of the software and looking at the files in /core/vb/utility/password. However, we simply use the password_hash() and password_verify() functions in PHP.

You can edit the order which Password Schemes are used by editing /core/includes/xml/pwschemes_vbulletin.xml. You can add your own password scheme by creating a custom pwschemes_XXXXX.xml file and placing it in the same directory.