Hashing the password both client-side and on the server has few benefits, some major issues and strong competition from clearly superior alternatives like Password-authenticated Key Exchange (PAKE) or completely passwordless options like WebAuthn (using passkeys). This might explain why it's not very popular.

First, the only reason that a user wants to hide their plaintext password from the application they're authenticating at is password reuse. Otherwise, it makes no difference whether the user sends their password or some password-derived hash to the server. From the server's perspective, they're both credentials. And an attacker who manages to obtain the client-side hash can immediately use to to gain access to an account, regardless of whether or not they know the underlying password. Of course there is a difference if the plaintext password also works for other services, and password reuse is a real problem. However, client-side hashing doesn't fully solve this. If the password is weak, then it an attacker may still be able to brute-force the hash. The actual solution is for the user to generate strong and unique passwords with, e.g., a password manager.

Secondly, client-side hashing doesn't come for free. Modern password hashing algorithms like Argon2 are computationally expensive by design and require a lot of memory. On a server, you know the hardware and can find a good balance between the strength of the resulting hash, the use of available resources and the time a user has to wait. Servers also tend to enough CPU cores and RAM to use reasonably strong cost parameters. This is much more difficult when you run the hashing on a client device. You may be dealing with weak hardware, you might now even know the exact hardware, and so it will be tricky to find the right balance. If you set the cost parameters too high, this might overload the system, which is a real problem if the user needs the system resources for other tasks. If they're too low, the resulting hash is weak.

Last but not least, there are already much better alternatives to classical password hashing. A lot of online services now offer WebAuthn which completely replaces passwords with strong public-key authentication. Depending on the userbase, mutual TLS with client certificates might be another option. And if you want to keep using passwords but avoid the problems of classical password hashing, there are PAKE algorithms like OPAQUE or the older Secure Remote Password which let the user completely hide the password from the server. Even if none of those are an option, you can probably still strengthen the password-based authentication with a second factor (e.g., TOTP tokens).

Hashing the password both client-side and on the server has few benefits, some major issues and strong competition from clearly superior alternatives like Password-authenticated Key Exchange (PAKE) or completely passwordless options like WebAuthn (using passkeys). This might explain why it's not very popular.

First, the only reason that a user wants to hide their plaintext password from the application they're authenticating at is password reuse. Otherwise, it makes no difference whether the user sends their password or some password-derived hash to the server. From the server's perspective, they're both credentials. And an attacker who manages to obtain the client-side hash can immediately use to to gain access to an account, regardless of whether or not they know the underlying password. Of course there is a difference if the plaintext password also works for other services, and password reuse is a real problem. However, client-side hashing doesn't fully solve this. If the password is weak, then it an attacker may still be able to brute-force the hash. The actual solution is for the user to generate strong and unique passwords with, e.g., a password manager.

Secondly, client-side hashing doesn't come for free. Modern password hashing algorithms like Argon2 are computationally expensive by design and require a lot of memory. On a server, you know the hardware and can find a good balance between the strength of the resulting hash, the use of available resources and the time a user has to wait. Servers also tend to enough CPU cores and RAM to use reasonably strong cost parameters. This is much more difficult when you run the hashing on a client device. You may be dealing with weak hardware, you might not even know the exact hardware, and so it will be tricky to find the right balance. If you set the cost parameters too high, this can overload the system, which is a real problem if the user needs the system resources for other tasks. If they're too low, the resulting hash is weak.

Last but not least, there are already much better alternatives to classical password hashing. A lot of online services now offer WebAuthn which completely replaces passwords with strong public-key authentication. Depending on the userbase, mutual TLS with client certificates might be another option. And if you want to keep using passwords but avoid the problems of classical password hashing, there are PAKE algorithms like OPAQUE or the older Secure Remote Password which let the user completely hide the password from the server. Even if none of those are an option, you can probably still strengthen the password-based authentication with a second factor (e.g., TOTP tokens).