This is an interesting question. It really depends on what you are using this JWT for and what your expected benefits are. Could you add a bit more detail?
The first thing that comes to mind for me is that JWTs allow you to store data with the token and verify it so that you don't have to look that data up in a database. But using a user's password hash (well, I presume you mean the the hash of their password as you should not be storing the password in plain text) means you need to look up the user record to retrieve that hash and verify the token.
One other side effect that comes to mind is that any user that updates their password will instantly invalidate any JWT signed with the old one. This may sign your user out across all open sessions, which could be a desirable effect, but worth considering.
Yashu Mittal More things have occurred to me since writing this.
A secret key in an application should be a long, random key. Rails, for example, generates a 64 byte random string by default. Guessing a key like this is practically impossible, however guessing a user password is relatively easy, especially since so many users re-use passwords and so many sites have been compromised and leaked these passwords.
I don't think you can use a timestamp for this. OTPs require a shared secret in order to generate and validate the OTP. The only thing this would add would be time sensitivity and make the boundaries of OTP periods awkward.
The more I think about it, the more likely you are to be able to keep a long, random secret safe yourself than rely on users to keep their passwords secret. So I would prefer to stick with an application secret (or even, if you insist, a generated secret per user).
But you didn't tell me what your expected benefit of using the user password was, aside from increased security, which I refute.