Public key authentication works like this: I create a 'keypair', a public and a private key. Anything that is encrypted with my public key can only be decrypted with my private key 1?.

So, I keep my private key private and give everyone my public key. Then, for example, if you want to email me in private, you encrypt your email to me with my public key; that way only I can decode it.

Every time I send my password over the network, I open myself to risk that I'm going to have it stolen. Instead of this you generate a key pair on your own computer, and you copy the public key to the server. Then, when the server asks you to prove who you are, you generate a signature, using your private key. The server can verify that signature (since it has your public key) and allow you to log in. Now if the server is hacked or spoofed, the attacker does not gain your private key or password; they only gain one signature. And signatures cannot be re-used, so they have gained nothing.

1? Don't ask why at this point, its about large prime numbers; just take it as read that it is in fact the case.