I'm the one in the family helping others (and friends too) setup and maintain their computer. The main issue I had: most of them didn't remember their passwords. So it was a chore to set up a new device. I had them buy a small notebook. Most of their passwords have 8 digits, and some are used 4-5 times. I tell them it is important to have unique and longer passwords for financial apps. And important stuff. Since I'm the one setting up their devices, I'm not afraid to use 2FA for their phones or tablets.
I use Keepass as a bank for passwords on my PC and Bitwarden to sync my passwords on all my devices. I create unique passwords and don't change them very often. Last week, I decided to enhance my Google password on all my devices. Easy on most devices, but not on my Chromebook: it took me nearly one hour to have it function properly. So, no, I don't change my passwords regularly. With 2FA and an authenticator app, I don't see the need.
I dont envy you, but you are doing a good job!
thats the problem with not very techy people, they use the same password among so many sites, (including their bank!) and when they eventually do come to change it as they had a warning it has expired... i can guarantee you they will use the same password with a 1 at the end or something..... then they say its all too confusing that some sites use password and some use password1. then they have password22
also you've then got parents trying to setup and remember stuff for their younger kids who may end up sharing a password of somekind... recipe for disaster.
for a general user the web seems very simple... i've even told friends and family to not re-use passwords etc, and how common it is that siteA will get breached.... and mean your details for siteB, siteC & siteD are at risk and probably on a list somewhere on the darkweb.
No i dont reset 400+ random passwords every 90 days no matter if that is loathers best practice,
90days was best practice back in the day with AD, and even then go back to my previous point, people would usually just add a 1 or a 2 to the end of the password.
be sure to use minimum 12 chars, 2FA on anything that important, make sure that 2FA is not SMS, make sure its app/token based.
be sure its different password for every individual site...... no major damage can ever be done with any breach.
any site that is critical be sure to note down recovery codes in your keepass or pw manager db (or a second db just for recovery)