Or because the password itself is leaked somehow (eg a DB of passwords that was stored incorrectly getting hacked, which happens with some degree of regularity). I use a "long and strong" password to lock a password manager, which itself generates long and strong unique passwords for each login (I use 1pw here, which is nice because it can also handle 2FA/rolling codes). I haven't yet found a better way of handling that at scale that isn't "write down your passwords on a piece of paper in clear-text".