[ctime]

Google isn’t really worried about password entropy beyond a reasonable amount. The primary threat model is phishing. This is why multifactor is so important and once once you have that enabled, nobody gives a shit if you even rotate your password. Just needs to be long enough and not guessable because it’s not the sole means of authentication.

Probably not a good idea to have something as critical as one’s primary email account identity tied to only a single factor of phishable credentials.

Requiring App passwords seems better, but it bypasses requiring a MF.

oAuth, while a a beast, seems even better as the workflow still initially requires a second factor.