I'm making a user system for an app I'm developing, and I have a client side (the mobile app itself) and a server side (where the database remains) for it. The app sends get and post petitions to the server and the server processes them and sends the information to the client.
I've been reading recently that for sending passwords between client and server it is recommended that you send from the app the hashed password (using an algorithm like SHA-256) and the server compares that hashed value with the one he has stored in the database, then if they are equal, the server marks the user as logged in.
But I have a question: doesn't that make possible that some evil hacker gets the hashed values and uses that information to log in as the user? I mean, this mechanism only avoids that evil hackers see how the true password is, as you don't store it in its original form anywere. How do I make then the system more secure to avoid that?
