The *big* problem lies with web sites that insist on 'good' passwords for access to trivial stuff.
I know of one major consulting company that insists on the whole upper / lower / digit / punctuation thing merely to create an account to read their published content.
Those are the kinds of sites that give us all the irits!
I have no problem re-using the same trivial password for sites that need no personal information (or are happy with false data!). As soon as a site records some kind of unique / personal data about me, the 'proper' rules kick in.
I'm fairly sure this attitude is the reason many of the hacks reveal such a plethora of easy-to-guess passwords, passwords that will work on other sites. Despite all the warnings about re-use, I think people are generally more pragmatic than the experts give them credit for. And I think (hope!) that this explains the number of 'easy' passwords that researchers discover in the various troves of stolen credentials.
I know we have seen reports of a breached email address / password list being used to authenticate on a different site, but how often has this been proven to occur where the second location contains personal information? In fact (wondering out loud) have any of the researchers tried the password against the actual email account?
David Heath is a New Zealand-born Australian resident who initially pursued Geology and ended up with a Computer Science degree.