a password is used for authentication (login), it is not necessary that
it is known to the server you want to authenticate with. It is enough
that the server has a fingerprint (hash) of your password. With Tutanota your hash for authentication is calculated by your browser and only the hash is being sent. Your password never travels the Internet in plain text and it is never seen by our server. As hashes are
non-invertible, the server is unable to reconstruct your password from
the hash. In this
way the server is not able to decrypt your message, while still
able to log you in.