Single sign-on is critical for the usability of distributed systems. While there are several authentication mechanisms which support single sign-on (e.g. Kerberos and X.509), it may be difficult to modify a particular legacy application to utilize an authentication scheme other than username/password. A simple solution for single sign-on involves transmitting a user's password over the network. However, it is undesirable to expose a user's private password in an insecure environment. This paper describes our effort to create "session passwords" which are short-lived passwords transmitted in lieu of a user's private password. Our implementation utilizes the MyProxy X.509 credential service as an authentication service. We demonstrate our solution in the MAEviz application portal, a Java Web Start application for earthquake risk management and analysis. Categories and Subject Descriptors H.3.5 [Online Information Services]: Web-based Services – Java Web Start;...