[sillysaurus]

Doesn't storing a hashed and salted version of a user's password accomplish the same thing as storing a user's public key?

No, because a public key can't be reversed into a private key. A hashed and salted version of a short-enough password can be reversed (sometimes trivially).

[sskates]

In both instances it depends on the length of the secret you hold. If your private key is small enough you can brute force it as well. That sounds like it's equivalent to requiring a password of a certain length.

Now that I think about it, you also need to make sure that your hashing mechanism is preimage resistant, which is an additional place to make a mistake, so public keys do have an advantage there.

[pi18n]

I think asymmetric keys have the advantage that, you could sign some token that includes the website name, so a phishing or XSS attack would work against one website at a time. In fact, if the token was something authenticated by the server's certificate and included the destination IP, the true website might be able to reject false signed tokens that weren't done via MITM.

[gingerlime]

and also, the user has to send the cleartext (unhashed) password to the website to login every time, in which case it can be intercepted.

Whereas with public key authentication you don't send the private key, you 'prove' that you have it by performing a challenge typically.