diff --git a/tsshbatch.rst b/tsshbatch.rst
index 9c26b36..ead0b32 100644
--- a/tsshbatch.rst
+++ b/tsshbatch.rst
@@ -92,10 +92,111 @@
 
 2) Authentication Using Name And Password
 
+   The simplest way to use ``tsshbatch`` is to just name the servers
+   can command you want to run::
+
+     tsshbatch.py linux-prod-servers uptime
+
+   You will be promted for your username and password one time
+   which ``tsshbatch`` will then use to log into each of the
+   machines named in ``linux-prod-servers``.  (*Notice that
+   his assumes your name and password are the same on each
+   server!*)
+
+   Typing in your login credentials all the time can get tedious after
+   awhile so ``tsshbatch`` provides a means of providing them on the
+   command line::
+
+     tsshbatch.py -n joe.luser -p my_weak_pw linux-prod-servers uptime
+
+   This allows you to use ``tsshbatch`` inside scripts for hands-free
+   operation.
+
+   If your login name is the same on all servers, you can simplify
+   this further by defining it in the environment variable::
+
+     export TSSHBATCH="-n joe.luser"
+
+   Any subsequent invocation of ``tsshbatch`` will only require a
+   password to run.
+
+   HOWEVER, there is a huge downside to this - your plain text
+   password is exposed in your scripts, on the command line, and
+   possibly your command history.  This is a pretty big security hole,
+   especially if you're an administrator with extensive privileges.
+   (This is why the ``ssh`` program does not support such an option.)
+   For this reason, it is strongly recommended that you use the ``-p``
+   option sparingly, or not at all.  A better way is to push ssh keys
+   to every machine and use key exchange authentication as described
+   below.
+
+   However, there are times when you do have use an explicit password,
+   such as when doing ``sudo`` invocations.  It would be really nice
+   to use ``-p`` and avoid having to constantly type in the password.
+   There are two strategies for doing this more securely than just
+   entering it in plain text on the command line:
+
+     - Temporarily store it in the environment variable::
+
+         export TSSHBATCH="-n joe.luser -p my_weak_pw"
+
+       Do this *interactively* after you log in, not from
+       a script (otherwise you'd just be storing the plain text
+       password in a different script).  The environment variable
+       will persist as long as you're logged in and disappear
+       when you log out.
+
+       If you use this just make sure to observe three security
+       precautions:
+
+         1) Clear your screen immediately after doing this so no one
+            walking by can see the password you just entered.
+
+         2) Configure your shell history system to ignore
+            commands beginning with ``export TSSHBATCH``.  That
+            way your plain text password will never appear in
+            the shell command history.
+
+         3) Make sure you don't leave a logged in session unlocked so
+            that other users could walk up and see your password by
+            displaying the environment.
    
+       This approach is best when you want your login credentials
+       available for the duration of an *entire login session*.
+
+     - Store your password in an encrypted file and decrypt it
+       inline.
+
+       First, you have to store your password in an encrypted format.
+       There are several ways to do this, but ``gpg`` is commonly
+       used::
+
+         echo "my_weak_pw" | gpg -c >mysecretpw
+
+       Provide a decrypt passphrase, and you're done.
+
+       Now, you can use this by decrypting it inline as needed::
+
+         #!/bin/sh
+         # A demo scripted use of tsshbatch with CLI password passing
+
+         MYPW=`cat mysecretpw | gpg`   # User will be prompted for unlock passphrase
+
+         sshbatch.py -n joe.luser -p $MYPW hostlist1 command1 arg
+         sshbatch.py -n joe.luser -p $MYPW hostlist2 command2 arg
+         sshbatch.py -n joe.luser -p $MYPW hostlist3 command3 arg
+
+       This approach is best when you want your login credentials
+       available for the duration of *the execution of a script*.  It
+       does require the user to type in a passphrase to unlock the
+       encrypted password file, but your plain text password never
+       appears in the wild.
+
 
 3) Authentication Using Key Exchange
 
+
+
 4) Executing A ``sudo`` Command
 
    - Forces luser to type in pw
@@ -141,7 +242,7 @@
 
 ::
 
-  $Id: tsshbatch.rst,v 1.102 2011/12/30 16:53:02 tundra Exp $
+  $Id: tsshbatch.rst,v 1.103 2011/12/30 17:56:25 tundra Exp $
 
 You can find the latest version of this program at: