The exam presents a comparison between a short complex password and a long simple one and asks which has more entropy. Most test-takers intuitively pick the complex password. The correct answer is almost always the long one.
The entropy formula: combinations = character_set_sizelength
- 8-character password using full character set (94 chars): 948 ≈ 6 × 1015 combinations
- 16-character lowercase-only password (26 chars): 2616 ≈ 4.4 × 1022 combinations
- The 16-character lowercase password has 7 million times more entropy despite using far fewer character types
Why this is counterintuitive: adding a character type (e.g., going from 26 to 94 characters) multiplies by about 3.6×. Adding one character to the length multiplies by the entire character set size. Each length increment compounds exponentially; each character set increment is a one-time multiplier.
NIST connection: NIST SP 800-63B favors passphrases over complexity rules for this exact reason. A 4-word passphrase beats an 8-character complex password in entropy every time.
The exam will describe a scenario where credentials stolen from Site A are used to log into Site B, C, and D, and ask which control prevents this. The correct answer is always a password manager (unique passwords per service), not MFA, not complexity requirements, not expiration.
Why MFA alone is wrong: credential stuffing does not bypass MFA. But the question asks specifically what prevents credential stuffing. Unique passwords eliminate the attack at the source — if every site has a different password, a breach at Site A yields a credential valid only at Site A. MFA is a mitigation; unique passwords prevent the attack entirely.
Why complexity and expiration are wrong:
- A complex password reused across sites is just as vulnerable to stuffing as a simple one
- Expiration does not help if the attacker tests the credential immediately after a breach — and most credential stuffing attacks are automated and fast
Password manager logic chain: password manager → unique random password per site → breach at Site A exposes only Site A's credential → credential useless at Sites B, C, D → credential stuffing attack fails
The exam presents a scenario and asks whether JIT permissions or password vaulting is described. Most candidates mix them up because both involve privileged access. Two diagnostic questions instantly separate them:
Question 1: Does the credential expire?
- If YES → JIT permissions (ephemeral credentials with a TTL)
- If NO → Password vaulting (permanent credentials rotated by the vault)
Question 2: Does the administrator know the password?
- If YES (even temporarily) → JIT permissions
- If NO (vault proxies the session, admin never sees the credential) → Password vaulting
Exam trap scenarios:
- “Credentials issued for a 2-hour maintenance window” → JIT (time-limited)
- “Administrator connects to the database server and the session is recorded; administrator does not know the database password” → Vaulting (session proxy, hidden credential)
- “Request submitted, approved by clearinghouse, temporary elevation granted” → JIT (clearinghouse = JIT workflow component)
- “Credentials automatically rotated after each checkout” → Vaulting (auto-rotation is a vaulting feature)
The exam asks what makes Windows Hello (or a similar passwordless system) true MFA when there is no password involved. Candidates who answer “it is just something you are” or “it uses biometrics only” are wrong.
The Windows Hello factor breakdown:
- Biometric scan (face or fingerprint) = something you are
- TPM chip holding the private cryptographic key = something you have
The biometric unlocks the TPM-protected key. Authentication is performed by the key, not the biometric. The private key never leaves the TPM — this is why remote credential theft fails even if the password database is breached (there is no password to breach).
The MFA qualification: two different factor categories are satisfied: inherence (biometrics) + possession (TPM). This is true MFA without any password.
Why “just biometrics” is wrong: the TPM is the authenticating component. The biometric is the local unlock mechanism for the TPM key. Without the physical device (TPM), the biometric alone cannot authenticate — the combination is required.
Passwordless also prevents: phishing (no password to phish), credential stuffing (no credential to stuff), brute-force (no password hash to crack), and password reuse attacks.