I have read about salted hash password technique to protect password from some attacks. https://www.owasp.org/index.php/Hashing_Java#Why_add_salt_.3F
But I have some confusing, should I send a salt value (for all use try to login) and then use Javascript calculates hash with that salt?
I think it's helpful to improve security. But I'm not sure, I'm not see anyone use this way.
Thanks in advance.
An attack case: your server is compromised, the attacker reads the database and gets the hash, the attacker crafts a HTTP request and send the hash directly to your server and log in to the user's account. The security is lowered even more in this case.
The salt is used to prevent same password from appearing the same to attacker, so that it can defend against the case where the attacker compromises your server and obtain the username and hash for offline password cracking.