Based on the documentation for POST /flows : Node-RED it mentions the usage of encrypted password within the flow JSON request body. What is the encryption mechanism that is actually used? It doesn't look like bcrypt.
Which is indeed bcrypt. However, it does use a salt. From settings.js:
/** By default, credentials are encrypted in storage using a generated key. To
* specify your own secret, set the following property.
* If you want to disable encryption of credentials, set this property to false.
* Note: once you set this property, do not change it - doing so will prevent
* node-red from being able to decrypt your existing credentials and they will be
* lost.
*/
credentialSecret: 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',