People often use personal information to create them, like first name / date of birth, and people often reuse passwords across several sites, so I guess passwords are considered personal data since they could identify its owner.
If a website doesn't follow best practices regarding password hashing, it could make the whole hashing process basically useless, so I guess password hashes are also considered personal data.
With GDPR, can I request a copy of my password hash?