Your Pa$$word doesn't matter

Let's set aside the fact that MFA and passwordless auth are not a panacea (in most cases except those with strong cryptographic token and verifier guarantees) and in many cases outsource the risk to requisite processes (hello SMS / SIM Swap attacks and provider identify verification failures), you basically spelled out why length, some complexity, and avoidance of reuse is important in pure offline attacks like bruteforcing, dictionary, rainbow table-based attacks. So I don't quite understand why the "Does your password matter" column says no there. Beyond that, and I'm sure this is mostly geared toward human authentication, but in the case of service accounts or resource accounts, MFA simply may not be possible. Of course today we have things like access tokens and STS and temporary privilege escalation and password vault integration, but in environments older than about 3-5 years, you're going to encounter the tech debt of domain or local service accounts used to keep the lights on with standard password auth. We can sit here and talk about what best practices for IAAA should be followed, but in reality, passwords DO matter, because in reality they are still widely used.

Whether people need to reassess and modernize their approaches to credential management and authentication are vastly different than saying "don't worry about password hygiene, they don't matter anyway"