If you are the user -- use a throw away password for every sensitive website
Keep a record of them
Code:
barry@deathstar9:~$ openssl rand -base64 12
M6ce0Xu0Ios1JFgj
It's the cheapest insurance against incompetent or careless website operators. The recent hacks of user data at some well known sites comes to mind. At least you jail the damage into that one domain
The email junk signups might as well be 'password' -- they will hijack your junk mail? I hope that is where that 123456: password: qwerty: frequency is found and people are no longer that naïve ...
You are liable for your customer's loss on your website if your site is breached, and his website assets disappear, and you have made no reasonable effort to prevent this -- like cam credits -- on an ethical basis IMHO.
Security Breach Notification Laws
eu-data-breach-notification-rule-the-key-elements
https://privacyassociation.org/news/...-key-elements/