A password method and system is described in which the legitimate user persuades the validating element of the system of his identity by identifying specific data in sequence from within a collection of data by means of associated reference data. No password information need be transmitted over networks and encryption is not required. Thus the user establishes his identity without disclosing his underlying password to an observing or data intercepting third party. The concept of requiring a user to identify password data hidden within extraneous data is not new, but practical issues relating to ease of use and ease of password deduction have limited the use of these systems, which have therefore remained essentially of academic interest. This invention identifies and addresses weaknesses of this technology and defines a system capable of immediate commercial use in for example; ATMs, Corporate networks, Internet Banking and Electronic Locking systems etc.