How can I enforce new password rules (e.g. '12 chars minimum') on the backend, when the client sends up a one-way hash? If I used two-way encryption, the client would need the passcode, which seems to defeat the purpose. I'm using a salted hash in case someone intercepts the message, but couldn't they also intercept a passcode? This seems like a catch-22.
...but I can't think of anything better. I send down a one-time passcode (which I suppose is fairly safe over SSL), then decrypt the password on the backend and run my checks.
How do the experts handle this? Thanks in advance.
TLS is secure if you are using the up2date default policies. It's not an issue to send over your passwords in clear text and hash them on the server. That's actually what most applications do, even big websites.
You can't enforce password rules on the backend when using a secure hashing algorithm such as argon2 already on the frontend.