Okay, so I looked up the modx getHash() and read more about encryption and hashing. I made a little module, so I can do some simple tests and checks with it.
So far so good, I now understand better what's happening
I now tend to think modx isn't really using blowfish or sha512, but is giving some kind of twist to it. Right?
Anywho. I noticed that getHash() is using md5 for the salt prefix. For Blowfish this means that for the salt 'only' 16 out of the 63 different characters are used. For sha256/512 I read that saltstrings should begin with 'rounds=[N]'. The default for N is 5000. I guess getHash() skipping this means it defaults to 'rounds=5000' in the calculation.
Finally, when the seed is the user-id, this will often be 1 for the admin-user. All together from an encryption point of view, things might not be the best approach. On the other hand, bruteforcing the login 3 times false means I'm blocking you. So there you have it.. as he replies to himself