Generally, user authentication performs through user's Id and password. In this process, user id remains visible and password remains secret. But through shoulder surfing and other attacks, the password can also be traced due to exact password characters are typed or marked by users during login. To counter this vulnerability of tracing password, we propose a novel login method that does not reveal the user-id/password even if keylogging traces the typed keyboard's characters. We also do a security analysis to show that proposed mechanism is able to withstand a number of attacks and also mitigates some of the attacks. We also do a usability survey to show its feasibility among real-time users without compromising any security features. © 2016 ACM.