How would you answer this question that was asked during an interview?

I had a job interview and the interviewing person asked me "***if I was in charge of a company's IT department, and we provided external, front facing interfaces to a customer (API's?). The customer asked that we implement a policy that requires passwords to be rotated every 90 days. Is this a good or bad idea?***"

I don't have more context than that. But I responded with that I agree with password rotation (even though there is debate regarding passwordless …

api bad context customer cybersecurity department don external interview interviewing job passwords policy question