In a method for improving client's login and sign-on security in accessing
services offered by service providers over shared network resources such
as Internet and particularly working within the framework of the www, a
password is created for the client at a first attempt to access the
service provider. The client's password is generated either at an
authentication authority in trust relationship with the service provider
and transmitted to the client, or the client is allowed to create his or
her password on the basis of random character sequences transmitted from
the authentication authority. For subsequent access to the service
provider the authentication authority presents a client for characters in
ordered sequences or in a diagram containing in an appropriate order a
single occurrence of each password character. The client performs a
selection of the password for validation and transmits the validation
back to the authentication authority, which verifies the password and
informs the service provider of the verification. In a most preferred
embodiment the password characters are never transmitted between the
authentication authority and the client in a validation and verification
procedure, and the former is wholly disconnected from either the client's
credentials or any transactions subsequently to be undertaken between the
service provider and the client.