[dsacco]

That's a fair point, though it doesn't outweigh the myriad other reasons not to do client-side hashing.

Security is always a battle of usability and tradeoffs. Client-side hashing simply doesn't make sense for security. It removes the fundamental point of the hash in the first place and introduces an avenue for possibly attacking or manipulating your database.

In fact, there's hardly ever a reason to do client-side security.

[mentat]

Perhaps you can quality "client-side security"? You mean never trust the client right?

[dsacco]

Yes, that's exactly what I mean. Treat all user-input (and by extension, client-side anything) as dangerous. A server putting a security protocol in the hands of the client when it is not unavoidable is usually bad.