A system of λ≧2 servers is provided. The server system comprises an access control server for communication with user computers via a network and controlling access by the user computers to a resource in dependence on authentication of user passwords associated with respective user IDs, and a set of authentication servers for communication with the access control server via the network. In this system, at least each authentication server stores a respective key-share Ki of a secret key K which is shared between a plurality of the λ servers. The access control server is adapted, in response to receipt from a user computer of a user ID and an input password, to produce a hash value h via a first hash function operating on the input password. The access control server blinds the hash value h to produce a blinded hash value u, and sends the blinded hash value u via the network to at least a subset of the set of authentication servers. Each authentication server is adapted, in response to receipt of the blinded hash value u, to produce a hash response vi from the blinded hash value u and that server's key-share Ki, and to send the hash response vi via the network to the access control server. The access control server is further adapted to produce, using the hash response vi from each authentication server, an input password hash comprising a predetermined function of said hash value h and said secret key K. The access control server compares the input password hash with a corresponding user password hash, produced from the user password for the received user ID and pre-stored by the access control server, to determine whether the input password equals the user password, if so permitting access to the resource by the user computer.