If you know much about passwords / security / etc don’t read on, you’ll only get bored (unless I’ve got it wrong, so feel free to read and correct!). Anyway,  I was explaining some basics to someone the other day & though there might be others interested.

Passwords have a long tradition of identifying friends from foe by exchanging a secret data. The problem is, once it’s exchanged in the open it’s no longer secret. Whispering may work but if you have to shout it, put it in a letter or plain text email it isn’t going to stay secret.

Say my password is “3″ (numbers are easier to work with and we know computers turn everything into numbers sooner or later so lets start with them). You know it is 3, you ask me for it and if I give it you, know it’s me - trouble is everyone else overheard it so now its useless..

Instead you pass me a number and I add it to mine and pass it back, if it adds up to what you add it up to it’s still me - you say “5″, I say “8″ you figure out 5+3=8 so yes it’s me. Now any listeners in have got to know or figure out the formula and then calculate my password. If we are using a publicly defined standard formula (which on a computer system we probably are) they know the formula so they can figure out from 5+X=8, X=8-5 that my password is 3. If they don’t know the formula they can probably figure it if they hear enough exchanges.

What we need is a formula that isn’t so easy to work backwards - like a square. You say “5″ I add it to 3, square it and say 64. You do the same calculation and get 64, yes it’s me. Now the listener has to do the inverse function, 64=(5+X)^2,  X=square root of (64)-5. Easy with 1 digit numbers or a calculator not so easy with big numbers and just a paper and pencil.

That’s how most security works, don’t exchange the password but mess up some random data with it in such a way that the sender can mess it up them same way and check your answer. Anyone listening CAN figure out the password by reversing the “messing up” process but if we make it complicated enough they will requires years of super computing to figure it out (a figure quoted for RSA 129 digit key is 5,000 years of 1 million instructions per second computing).
A step on from this is public key encryption where I tell you how to mess it up but only I can un-mess it - loosely speaking! http://en.wikipedia.org/wiki/Public-key_cryptography is a bit more accurate

http://www.ephesus.com/Encryption/PGP-Steps.html, and http://home.clara.net/heureka/sunrise/pgpsec.htm seem quite informative too.