• always use HTTPS;
• always use the bcrypt() function to hash passwords (https://laravel.com/docs/5.2/helpers#method-bcrypt), never create your own hashing functions / algorithms;
• host your own server or use a reliabe hoster, if people have access to your server then hashing has no use because they can access the code / encryption keys / configs, etc and have access to the database...

ITCan said:

• always use HTTPS
• always use the bcrypt() function to hash passwords (https://laravel.com/docs/5.2/helpers#method-bcrypt)
• host your own server or use a reliabe hoster, if people have access to your server then hashing has no use because they can access the code / encryption keys / configs, etc and have access to the database...

Of course I will use HTTPS, of course I am using bcrypt() and of course I trust my hoster, but this is not the case. The problem here is sending passwords in plaintext what should be avoided.

Motivation: http://stackoverflow.com/a/21716654

You could use sha1 (or any other algo) in javascript for the client side. But if you are using https (and only allow https connections) I dont think you really need to stress much about it.

Check http://www.movable-type.co.uk/scripts/sha1.html

To be clear the op said its for the client side, he will rehash on the server side using bcrypt and salt.

Good read on the topic at this link as well http://security.stackexchange.com/questions/93395/how-to-do-cl...