In your description you mention in #3 (the first of them) that the browser hashes using the user's salt (not the one-time one) and then afterwards the one-time salt. How does the browser get the user's salt in the first place? Is it returned in the response to the request with the username? So the user enters password and we send: hash(userOneTimeSalt + hash(userSalt + password)) is that correct What do we have in our db? hash(userSalt + password) I assume? Since the one-time salt is just to mask the hashed password. Deny request if hash(userOneTimeSalt + db.hashPassword) != double hashed password from login attempt. When the user is created it is a bit different isn't it? We would pass the users salt that we just created based on the username request. The browser hashes the password and sends this hash (without the extra level of hashing) and we store that value directly as the password?