> So that means 80% of people out there would be given "substantial fines". Not going to happen.

How is that any different than giving speeding tickets? If you behave recklessly in a way that puts others at risk, you should have to make restitution to society.

Hmm not sure I understand your reasoning here.. You don't think there's a difference between speeding and choosing a weak password for a site like last.fm? The latter might be a bit silly, but how does it put others at risk?

With the Dropbox hack for example, the reason they got hacked is because one of their employees reused a password, presumably from another site that got hacked. So that's one vector, where every time a site gets hacked, people using weak passwords (and reusing them) create the risk of future hacks.

But more generally, exposing your account credentials allows others to impersonate you and potentially scam others, expose the data of others, etc. In the case of Last.fm there obviously isn't a ton of potential for abuse directly, other than maybe firing off fake song plays to pocket the royalties, but the potential for greater harm exists in the general case. E.g. consider the enormous percentage of credit card transactions that are fraudulent, largely because of scammers using PII that's stolen in these large scale hacks. That absolutely effects the fees and interest rates for everyone else using banks in any way, so even if your own identity isn't stolen you're absolutely still affected.

And even in some hypothetical scenario where the only person harmed would be the person using the weak password, there is still precedent for regulation because we have laws requiring people to wear bike helmets, preventing kids from smoking, etc.

Got it, I certainly disagree and don't think the 41.000.000 last.fm users (whose passwords were cracked in two hours) should receive a substantial fine. I don't think there's a whole lot of precedence for this type of legislation either; what you're suggesting requires at least two other crimes to be committed by someone else (before someone else would potentially be at risk due to the user's bad password choice) - in addition to recklessness on behalf of the service provider (which also may be regulated and/or illegal under PCI/HIPAA/etc as grandparent points out). In other words:

1. User signs up for a web service, uses weak password.

2. Web service recklessly stores passwords/hashes in an easily crackable way.

3. Someone hacks the web service, steals usernames and passwords/hashes, then leaks the data.

4. Someone potentially uses the leaked credentials/user information to impersonate user, commits identity theft, fraud etc.

5. User receives a "substantial fine" for using a weak password (like 96% of the users of this online music service).

I had written a more long-winded response, but it probably suffice to say that there are major issues/contradictions/implications of what you're proposing. Like how would you enforce it, should law enforcement only rely on data theft/leaks, or should they have direct access to all user databases for online services? How would they prove the integrity of the data leaks? How would you prove that the password is reused, and how'd determine the size of the fine? Does it matter if the password is strong, but reused and one of those services stores it in plain text and is hacked? Would it be legal to use a weak password for a service if the hashing algorithm is strong, or just as long as the service isn't hacked and the data leaked?

> How would they prove the integrity of the data leaks?

Most jurisdictions already have security breach notification laws. If you're already required to report data loss to customers and/or the government, then at that point I don't think it's unreasonable to require companies to provide a copy of any leaked credentials since they should all be deactivated anyway.

> How would you prove that the password is reused, and how'd determine the size of the fine?

If companies were required to turn over credentials that had been breached, then this would be determined from the entire set of breached credentials.

> Does it matter if the password is strong, but reused and one of those services stores it in plain text and is hacked?

Sure, that's exactly why you're not supposed to ever reuse passwords even if they're strong.

> Would it be legal to use a weak password for a service if the hashing algorithm is strong, or just as long as the service isn't hacked and the data leaked?

I think there should be some minimum entropy level that's required regardless of the hashing algorithm. E.g. given that passwords can be automatically generated and stored, there is zero reason ever to use a password that's less than 30 characters of completely random characters.

> what you're suggesting requires at least two other crimes to be committed

The fact that these crimes are interconnected is why such a law is needed in the first place. And all these attacks are automated, so if you're reusing your last.fm password on Facebook and it takes ten minutes to brute force your last.fm password, then your Facebook account is going to potentially be pwned in ten minutes and 1 second.

If there were some benefit to having weak passwords then that would be one thing, but the way I see it it's just people creating a national security risk out of pure laziness.

With a weak password, step 2 is redundant, even with more than the recommended rounds of bcrypt/scrypt, if your password is "123456" it's getting cracked.

verify(candidate, storedEntry) has to run in a time reasonable for a web service to handle, which means that 123456 is still going to get tried against all the accounts in a reasonable time.

Should people be fined for not locking their doors?

Nobody is arguing that they should.