accounts-passwordreally cares about it for you. I wish the documentation on the implementation details was better, but you can see the overview here .
Passwords are verified by checking hashes, so only the hashed version is transferred from the client to the server, which is then launched through bcrypt.
client: password → network: sha256 (password) → server: bcrypt (sha256 (password))
What is nice about this implementation: (a) the server never sees or saves data equivalent to the password, (b) all this is done for you, just installing the package.
Also see this hackpad for more details.