I think it's also worth pointing out that there are many reasons why 2FA is valuable. Even if someone ends up with your password, they would still need your second factor, which could be a TOTP token or a WebAuthn device like a YubiKey.

Even if you rotated your password frequently, there would still be a large window of compromise. Password rotation only helps with very strange attack scenarios, and passwords themselves aren't really good enough for anything where security actually matters.

I would personally push away from passwords on the whole at this point. SSO is probably more secure for most users. Plenty of websites only support username+password auth, and given how bad most passwords are... I might even go so far as to suggest that username+TOTP is instantly more secure than that, especially with proper rate limiting as you should have anyways. (Yes, I know TOTP is "supposed" to only be a second factor.)

WebAuthn takes this to the next level and promises a future where you can use a strong single factor to log in, without any opportunity for phishing or credential compromise... but most implementations I've seen still require a fallback password mechanism. There are understandable reasons for this right now, but it is unfortunate.

If your old password was compromised by a keylogger, your newly rotated password will be too.

There original threat model for forced password rotation was supposedly based on hash cracking time. This is a stupid threat model; the guy from NIST who wrote it back in the 80s admitted it was based on no research but was added arbitrarily because it sounded good at the time.