I think maybe having a token sent by the server then performing a few rounds hash of the password with that token concatenated at the end then doing the same thing with the server after getting the salted hashed password. This would conceal both the password and ensure you aren't just saving the a plain text password on the server.