You could send the client a salt and have them crypt their password with it and send it back to you. Someone only needs to sniff 4096 authentications, however, to know the correct response for each possible salt combination. If, however, you sent the client the time the client could crypt the password and repeatedly crypt that result with the next pair of characters from the time. This has the advantage that the key will never be repeated provided you prevent someone from logging on twice in the same second. I'm no cryptoanalyst so there might be a better way of hashing the password with the time than repeatedly crypting it with the time's character pairs, one of the Crypt modules might offer a better solution.