Challenge-response authentication uses a cryptographic protocol that allows to prove that the user knows the password without revealing the password itself. Using this method, the application first obtains a random challenge from the server. It then computes the response by applying a cryptographic hash function to the server challenge combined with the user's password. Finally, the application sends the response along with the original challenge back to the server. Because of the "one-way" properties of the hash function, it is impossible to recover the password from the response sent by the application.
Upon receiving the response, the server applies the same hash function to the challenge combined with its own copy of the user's password. If the resulting value matches the response sent by the application, this indicates with a very high degree of probability that the user has submitted the correct password.
Note that the Zenfolio user database does not store actual user passwords. Instead, it stores a cryptographic hash of the password combined with a randomly generated salt value. This makes it impossible to recover user passwords if security of the Zenfolio server is compromised. (This also means that if you forget your password, no person at Zenfolio can tell you what your password is. Zenfolio Customer Support can help you to reset your password, but that's all).
Since the server has no access to clear-text passwords, the challenge-response protocol described above is modified to use password hashes instead of the actual passwords. The exact authentication protocol works as follows:
PasswordHash := SHA-256(PasswordSalt, UTF-8(password))
Response := SHA-256(Challenge, PasswordHash)