Drupal saves hashed password in database and it is a one way encryption, which means you can not get original password from it, during authentication process drupal encode the input password by user and checks if the encoded pass equals the one in the database and when met this condition, in a monolithic project (not decoupled) it creates a cookie with information about the user and sends it back to the browser which will be stored and used for future uses.
But when developing a decoupled approach like using GraphQL or JsonAPI or Rest API you cant always use cookie cause the front end application might not support it (like an android mobile app or ...) so in this case it is better to use Tokens for authentication , there are some modules which one of the most popular is Simple OAuth (OAuth2) & OpenID Connect (STABLE AND WIDLY USED)
after setting this module up (installing using composer ,creating private and public key and introducing consumers) you can simply get a token by making a Post request to:
{SiteName}/oauth/token
and in the body which should be of type multipart/form-data
(application/json is not supported) you can have:
grant_type = password
client_id = CONSUMER ID YOU CAN BUILD THROGH UI
client_secret = CONSUMER PASSWORD (IF YOU HAVE SET)
username = USERNAME
password = PASSWORD
scope = ROLES YOU WANT USER HAVE WHICH IS NOT DEFIEND IN CONSUMER (WILL NOT AFFECT IF USER DOES NOT HAVE THAT ROLE, SO NO SECURITY CONCERNS)
and that's it, you will get an access and refresh token on response. which then can be used in future requests calling GraphQL or any other REST services.
One important notice about this module is about the usage of Scope, and that is when introducing a client you can assign one or more scopes to that client and when a user logins through that client will have all the roles assign to that client