Assuming that the passwords are chosen independently, an adversary who intercepts one challenge-response message pair has no clues to help with a different challenge at a different time.
For added security, each set of codes is only valid for a particular time period which is ordinarily 24 hours.
The correct response might be as simple as "63x83z", with the algorithm changing each character of the challenge using a Caesar cipher.
CAPTCHAs, for example, are meant to allow websites and applications to determine whether an interaction was performed by a genuine user rather than a web scraper or bot.
The distortion was designed to make automated optical character recognition (OCR) difficult and prevent a computer program from passing as a human.
One way this is done involves using the password as the encryption key to transmit some randomly generated information as the challenge, whereupon the other end must return as its response a similarly encrypted value which is some predetermined function of the originally offered information, thus proving that it was able to decrypt the challenge.
The use of information which is randomly generated on each exchange (and where the response is different from the challenge) guards against the possibility of a replay attack, where a malicious intermediary simply records the exchanged data and retransmits it at a later time to fool one end into thinking it has authenticated a new connection attempt from the other.
Authentication protocols usually employ a cryptographic nonce as the challenge to ensure that every challenge-response sequence is unique.
It can also be important to use time-based nonces and synchronized clocks if the application is vulnerable to a delayed message attack.
However, this presents a problem for many (but not all) challenge-response algorithms, which require both the client and the server to have a shared secret.