Impersonation requires knowledge of the other user's password.

Impersonation is acting with someone else’s identity in a system, and it does not rely on knowing their password. Modern security designs separate authentication from authorization and provide ways to assume another user’s identity through tokens or privileged access. For example, a system may allow an admin to “log in as” a user, or use session tokens, access tokens, or delegation mechanisms (like Kerberos, OAuth, or SAML) that carry the user’s identity without revealing or knowing their password. Windows-style impersonation uses an access token to assume another user’s security context, again without needing the password. Because these mechanisms let you act on behalf of another user without their password, the statement is false.