Wouldn’t the low-entropy password still work on the web interface, and if so why is it an improvement? Any brute force attempts can very well be done on the web interface, and if there are countermeasures why can’t they be used on the API endpoints?
Yes that’s correct, but if you choose to not use 2FA for whatever reason I don’t see why password auth shouldn’t be supported on the API instead of making you waste time generating an API key that won’t actually improve security in any way (since attackers can brute force the account anyway).
