Password authentication is commonly used to authenticate the user in web-based services such as internet banking due to its simplicity and convenience. Many users have multiple accounts and use the same password. The password is usually sent to the server over an HTTPS connection. However, this common practice makes the system vulnerable. An attacker can set up a phishing site masquerading as the genuine site and attempts to steal the user's credentials. If the user's credentials are successfully stolen, all accounts are compromised. More- over, since passwords are common, a break-in to a sys- tem that is not well protected might cause a cascaded break-in. This paper describes an authentication protocol which enables the user to securely use the same pass- word for multiple servers, and protects against phishing attacks. The protocol also allows multiple authentication sessions simultaneously while preventing replay at- tacks. Furthermore, the protocol is also resilient against denial-of-service attacks since no state is maintained on the server during the authentication process.