diff --git a/crypto.go b/crypto.go
index 68a6ffe..a842140 100644
--- a/crypto.go
+++ b/crypto.go
@@ -5,21 +5,36 @@ import (
 	"crypto/sha1"
 	"crypto/sha256"
 	"encoding/base32"
+	"encoding/base64"
 	"encoding/binary"
 	"errors"
 	"fmt"
 	"hash"
 	"math"
+	"math/rand"
 	"strings"
 	"time"
 )
 
+func NewSalt() string {
+	var letterRunes = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ")
+	b := make([]rune, 4)
+	for i := range b {
+		b[i] = letterRunes[rand.Intn(len(letterRunes))]
+	}
+	return string(b)
+}
+
 func ComputeHmac256(message string, secret string) []byte {
 	h := hmac.New(sha256.New, []byte(secret))
 	h.Write([]byte(message))
 	return h.Sum(nil)
 }
 
+func encode64(secret []byte) string {
+	return strings.TrimRight(base64.StdEncoding.EncodeToString(secret), "=")
+}
+
 func encodeSecret(secret []byte) string {
 	return strings.TrimRight(base32.StdEncoding.EncodeToString(secret), "=")
 }
diff --git a/main.go b/main.go
index 8a8b0d2..850852e 100644
--- a/main.go
+++ b/main.go
@@ -4,8 +4,10 @@ import (
 	"flag"
 	"log"
 	"log/syslog"
+	"math/rand"
 	"os"
 	"strings"
+	"time"
 
 	"github.com/pyke369/golang-support/uconfig"
 )
@@ -24,6 +26,9 @@ func main() {
 		os.Exit(1)
 	}
 
+	// seed the prng
+	rand.Seed(time.Now().UnixNano())
+
 	server := NewVPNServer(config.GetString("config.openvpnPort", "127.0.0.01:5000"))
 	server.vpnlogUrl = config.GetString("config.vpnLogUrl", "")
 	server.mailRelay = config.GetString("config.mailRelay", "")
diff --git a/otp.go b/otp.go
index f269e62..bdddbb3 100644
--- a/otp.go
+++ b/otp.go
@@ -14,11 +14,19 @@ func (s *OpenVpnMgt) GenerateOTP(user string) ([]string, error) {
 // }
 
 func (s *OpenVpnMgt) TokenPassword(c *vpnSession) (bool, string) {
-	//TODO implement that correcly
-	if c.password == "maith1wiePuw3ieb4heiNie5y" {
-		return true, "maith1wiePuw3ieb4heiNie5y"
+	now := time.Now().Unix()
+	if len(c.password) > 40 {
+		salt := c.password[:4]
+		for i := 0; i < 3; i++ {
+			test := encode64(ComputeHmac256(c.baseHash(salt, now/30-int64(i)), s.otpMasterSecrets[0]))
+			if salt+test == c.password {
+				return true, c.password
+			}
+		}
 	}
-	return false, "maith1wiePuw3ieb4heiNie5y"
+
+	salt := NewSalt()
+	return false, salt + encode64(ComputeHmac256(c.baseHash(salt, now/30), s.otpMasterSecrets[0]))
 }
 
 func (s *OpenVpnMgt) GenerateOTPGeneric(user string, period int, algo string, secretLen int, digits int) ([]string, error) {
diff --git a/vpnsession.go b/vpnsession.go
index fd86e4f..9e1e0f8 100644
--- a/vpnsession.go
+++ b/vpnsession.go
@@ -67,6 +67,10 @@ func (c *vpnSession) b64Login() string {
 	return base64.StdEncoding.EncodeToString([]byte(c.Login))
 }
 
+func (c *vpnSession) baseHash(salt string, i int64) string {
+	return fmt.Sprintf("%s%s%s%s", salt, c.Login, c.IP, i)
+}
+
 func (c *vpnSession) ParseSessionId(line string) error {
 	var err error
 	client_id := strings.Split(strings.Replace(line, ">CLIENT:CONNECT,", "", 1), ",")