User authentication is very important to information security. In this paper, we present an economical hash-based strong password authentication scheme by using of a popular removable storage device. With the help of the new scheme, the user can Â¿rememberÂ¿ a random number that is not only a part of the user's ID but also a part of user's password, which makes the scheme to be one-time ID and one-time password with user identity protection. Mutual authentication is supported, which makes the scheme has the ability of message freshness and principal liveness. In this scheme, no plain text transferred, and data are protected each other by using hash functions, and most of the common attacks can be avoided. Furthermore, the server and the user exchange two random numbers that can be used to build a session key after authentication. Different methods of constructing the key influence the scheme security, an analysis of it is also be given.