Thanks for including the support cost of password rotation!
In my mind, that is actually the biggest problem with password rotation. Account recovery is one of the biggest – if the not the biggest – weak spot in any authentication system. The more routine you make account recovery the more convenient it has to be and the less scrutiny your IT staff will apply to each request. Forgotten passwords are most likely to happen after a forced password change.
Honestly weak passwords aren’t nearly the problem people make them out to be at least alone. All but the weakest passwords are strong enough to protect against online brute force attacks as long as you implement appropriate rate limiting. The extreme example of this are android and iphone unlock PINs. A 4-6 digit PIN has a tiny bit of entropy, but the security chip enforces a maximum retry schedule and ultimately wipes the encryption keys after too many incorrect guesses. The only real problem with weak passwords is when they are combined with password reuse: if a hacker obtains an encrypted password database and then finds your usename and password they can try that for online attacks against other systems. But that can be solved by not reusing password and/or 2FA.
Of course to avoid password reuse you need to use a password manager which also allows you to use strong passwords with little penalty. So weak passwords are generally a sign of password reuse. But for the handful of password I need to enter by hand regularly I don’t really sweat the entropy that much.
