(no title)

* user submits password * gets hashed client side * server compares it against stored hashes * server also re-hashes the stored hash, and compares it against the hash received from the client

This would effectively mean that either entering the password, or the password hash would correctly match, since when entering the hash you are effectively "double" hashing the password which gets compared to the double hashed password on the server.

The upside is that users who don't understand hashing or don't feel like opening a sha256 tool wouldn't have to change their behavior or even be confused by a dialog explaining why they should hash the input, while advanced users could find out about the feature via another channel (e.g. hackernews).

The downside would be that it adds an extra hash step to every comparison on the sever. It's hard to know how expensive this would be for them.