Is it possible that Alice can authenticate Bob without using any secret information except her password, i.e they don't share any thing else. If so, how can I authenticate Alice and ensure the integrity and confidentiality of the password in the same time. is hashing useful in this case? if so can I use two way hash function since I know it is one way function.
I suggest a way using nonce and timestamp as shown in .the pic
Yes, hashes can be used in conjunction with a shared key to authenticate a message (this kind of Hash-based Message Authentication Code is the HMAC often referred to in cryptographic protocols). Some details are here. This also provides message authentication (in your scheme, Mallory could modify T2 and Bob wouldn't know; that can't happen so easily with HMAC). Hashes (although not HMACs) are also used in HTTP digest authentication.
Note that just having Bob send a nonce and having Alice then send H(key+nonce) opens up the possibility of a chosen-plaintext attack on the hash; this may or may not work, but typically will work at least if Mallory could send a blank nonce (with many common hashes, if H(m) is known, then H(m+x) is easy to find for any x), and it's generally best to try to avoid the possibility. So, digest authentication has another component in the response (the requested URI), and can be implemented to have a nonce provided by Alice as well.
