Client side password hashing

1. Is password hashed on client side?
2. Should you hash client secret?
3. Should I hash the password before sending it to the server side?
4. Is sha256 good for password hashing?

Is password hashed on client side?

By hashing on the server, passwords are adequately protected even in the case of a database leak. By hashing on the client, the password doesn't leave the user's browser and even the web application doesn't learn the password.

Should you hash client secret?

Hashing the client secret is recommended for security reasons. One-way hashing of the client secret provides additional security against attackers by hiding the plaintext client secret values from view in both the interface and the database.

Should I hash the password before sending it to the server side?

It should be irreversibly hashed before leaving the client as there is no need for the server to know the actual password. Hashing then transmitting solves security issues for lazy users that use the same password in multiple locations (I know I do).

Is sha256 good for password hashing?

Choosing a slow algorithm is actually preferred for password hashing. Of the hashing schemes provided, only PBKDF2 and Bcrypt are designed to be slow which makes them the best choice for password hashing, MD5 and SHA-256 were designed to be fast and as such this makes them a less than ideal choice.