Isn't introducing a DB to the mix just adding senseless dependency? If you got tens of thousands if not millions of users, then sure. Anything less than that, might as well defer the DB implementation altogether, store it in a flat file loaded on backend spin-up and keep in memory as a map/dictionary.
The less moving parts you got, the safer and snappier the backend is
edit: oh and what Carhartguy said. Proper procedure is:
1: On client user make password
2: On client password is hashed
3: Hash is sent over SSL/TSL to backend (together with userID if existing user)
4: Backend receives hash, generates salt (usually based off some pseudo-random generator)
5: Backend generates a new userID (if new user)
6: Client receives and stores userID from backend (if new user)
7: Backend appends salt to hash string
8: Backend hashes resulting string from 7
9: Backend stores new hash and salt with userID
10: On client login, user enters password
11: On client entered password is hashed
12: Hash is sent over SSL/TSL to backend together with userID
13: Backend receives hash, looks up salt stored with userID
14: Backend appends the salt to hash string
15: Backend hashes resulting string from 14
16: Backend compares new hash from 15 to hash stored with userID
17: If they match, a kitten purrs
18: If they do not match, a kitten takes a dump on the bed-linen.
simple, huh?