hi Rapid, i see your point, and there's some truth.
Anyway, hashing would be better than the simple base64 encoding we have now, and that's what i could introduce with little work.
People here have to understand that we are discussing server storage security, in case you get access to settings on the server. We are not discussing login security.
Back to our point, let's see... if in the future we'll have also a 'salt', the server will have to pass it to the client (along with the session), and the piece of scheme hash(pwd) will become hash(pwd+salt).
We can consider it being already like this, with salt as empty string. The current scheme seems to be compatible with this future requirement, and templates can already be build this way to be future proof.
I hope I was clear enough on this, and that you agree with its consistency. Thanks for making me think on this, i didn't before.
Could you make switch for sha256 function? Like if protocol is https than use browsers implementation? I think it should be more optimized than js version
more code to optimize what? 1ms total on the browser's CPU ?