diff --git a/html5/index.html b/html5/index.html
index f9969dfa..e2e6ba40 100644
--- a/html5/index.html
+++ b/html5/index.html
@@ -550,7 +550,20 @@ <h2>Xpra Bug Report</h2>
 
 				// look at url parameters
 				const username = getparam("username") || getparam("handle") || null;
-				const password = getparam("password") || getparam("token") || null;
+				const passwords = [];
+				for (let i=0; i<10; i++) {
+					let password = getparam("password"+i) || getparam("token"+i) || null;
+					if (!password && i==0) {
+						//try with no suffix:
+						password = getparam("password") || getparam("token") || null;
+					}
+					if (password) {
+						passwords.push(password);
+					}
+					else {
+						break;
+					}
+				}
 				const sound = getboolparam("sound", true) || null;
 				const audio_codec = getparam("audio_codec") || null;
 				const encoding = getparam("encoding") || null;
@@ -758,8 +771,8 @@ <h2>Xpra Bug Report</h2>
 				if(username) {
 					client.username = username;
 				}
-				if(password) {
-					client.password = password;
+				if(passwords) {
+					client.passwords = passwords;
 				}
 				if (action=="connect") {
 					client.server_display = display;
diff --git a/html5/js/Client.js b/html5/js/Client.js
index e228c825..839742c2 100644
--- a/html5/js/Client.js
+++ b/html5/js/Client.js
@@ -49,7 +49,7 @@ XpraClient.prototype.init_settings = function(container) {
 	this.ssl = null;
 	this.path = "";
 	this.username = "";
-	this.password = null;
+	this.passwords = [];
 	this.insecure = false;
 	this.uri = "";
 	//connection options:
@@ -1072,7 +1072,7 @@ XpraClient.prototype._send_hello = function(challenge_response, client_salt) {
 	// make the base hello
 	this._make_hello_base();
 	// handle a challenge if we need to
-	if((this.password) && (!challenge_response)) {
+	if((this.passwords.length>0) && (!challenge_response)) {
 		// tell the server we expect a challenge (this is a partial hello)
 		this.capabilities["challenge"] = true;
 		this.clog("sending partial hello");
@@ -2137,9 +2137,8 @@ XpraClient.prototype._process_challenge = function(packet, ctx) {
 	function do_process_challenge(password) {
 		ctx.do_process_challenge(digest, server_salt, salt_digest, password);
 	}
-	if (ctx.password) {
-		const password = ctx.password;
-		ctx.password = null;	//next challenge will fall through
+	if (ctx.passwords.length>0) {
+		const password = ctx.passwords.shift();
 		do_process_challenge(password);
 		return;
 	}