You can think of it like a labyrinth, where you know that there is an exit but you don’t know if there are more than 1 connections to that exit, with the one known route leading through a password authentication which you don’t wanna go through.

You basically play with the system forwards and backwards, meaning you also try to find a way from exit to start. If you do both you get an instinct for when you get close to the other end, sometimes by surprise after you took a weird turn that didn’t look like the right one at all when you took it.

My favourite example of a complicated shortest route that is not the intended one is the Windows 95 domain authentication bypass