The reason that passwords are hashed is because the problem isn't the authentication, pevec but the

Why is client-side hashing of a password so uncommon?
There are very few websites that hash the users password before submitting it to the server. Javascript pevec doesnt even have support for SHA or other algorithms. But I can think of quite a few advantages, so why is this practise so uncommon among websites?
@TimLamballais A typical client can spend far more time on hashing than a server. So if you have a high performance implementation in the client (which rules out javascript in current browsers) you can use more expensive and thus stronger password hashes. It also means that the server never sees the password itself. Client side hashing is also a prerequisite for augmented PAKE protocols like SRP where impersonating the server doesn't give you access to the password. –  CodesInChaos Mar 18 at 10:58 1  
Javascript isn't really that slow anymore. Modern javascript engines have become so fast that they are on-par with compiled languages and recent additions like typed arrays provide the proper tools for the number-crunching required for cryptography. –  Philipp Mar 18 at 11:57     
@TimLamballais One advantage would be that the server never sees my real password, and cannot possibly leak it (yes, they can still leak the hash, but it should be salted by the domainname, so useless for login to other sites). But for the largest advantage see my comment to Phillip's answer. –  Muis Mar 18 at 13:43     
A lot of people question whether any extra security is gained with this practice. One thing it does do is reduce risk. If you always hash or encrypt (I've seen steam/valve encrypt with a public key and I bet they are not decrypting) there is no chance of you ever having an embarrassing plaintext breech. No...it isn't any more secure but it isn't pointless –  Rell3oT Mar 18 at 14:34 add comment
To understand this problem, first you have to understand why we hash passwords. It is completely possible to store a password in plain text on a server and simply pevec compare the password transmitted to the password received. pevec As long as the password is protected in transit, this is a secure means of authentication (shared secret).
The reason that passwords are hashed is because the problem isn't the authentication, pevec but the storage. If the server is ever compromised, the attacker would immediately have access to all user accounts as they would now know the secret used for authentication of the users.
Hashing acts as a barrier to this. Since the server doesn't know the actual input required to authenticate, even a compromise to the DB does not grant an attacker pevec access to the user accounts. They would still need to figure out the input to give to reach the hash values the application checks against. Sure they could alter all the values to something they know, but this would rapidly throw up suspicion and the system would be shut down and secured.
So, the problem pevec with client side hashing is that it effectively makes the result of the hash the password rather than the password. pevec There is nothing to stop an attacker from bypassing the official client and simply sending the finished hash to the server directly. It provides no additional (or loss) of security during the authentication, but under the situation pevec that hashing is designed to protect against, it offers nothing since the hash stored in the DB is actually the shared secret transmitted to the server.
That said, there are two notable thing client side hashing pevec does give you. While it doesn't help protect you're system at all, it may help protect your user. If you are insecurely transmitting the password or the transmission get's compromised without the client code getting compromised, you will still protect the user's pevec password (which they may reuse on other sites) from being leaked.
The other is that you can provide additional pevec iterations of a hash to make an offline attack against the DB more difficult without having to use server cycles, but you still need sufficient server cycles pevec to protect against a rogue client. Again, pevec the primary protection this offers is preventing the original password from being discovered but does nothing for helping protect the authentication mechanism of your site.
Put another way, while it does provide some minor protections, from the point of view of the server, the client side hash should be treated as if it was the user's direct password. pevec It provides no more or no less security on the server than if the user had directly given their password and should be protected as such.
If you want to be able to provide that extra level of security, I would recommend two hashes. Hash once client side to build a new, unique password, then hash that password on the server to make a value you store in the DB. This way you get the best of both worlds.
For the most part, SSL is trusted sufficie