united-states
In US copyright law, criminal copyright infringement is defined by 17 USC 506(1), which reads:
- In general.—Any person who willfully infringes a copyright shall be punished as provided under section 2319 of title 18, if the infringement was committed—
(A) for purposes of commercial advantage or private financial gain;
(B) by the reproduction or distribution, including by electronic means, during any 180-day period, of 1 or more copies or phonorecords of 1 or more copyrighted works, which have a total retail value of more than $1,000; or
(C) by the distribution of a work being prepared for commercial distribution, by making it available on a computer network accessible to members of the public, if such person knew or should have known that the work was intended for commercial distribution.
Note that there is a financial floor in subsection (B), that the infringing copies must have a retail value of $1,000 or more.
However, my understanding is that, as a matter of policy and not law, the US Department of Justice (DoJ) only brings charges of criminal copyright infringement where the infringement is both extensive and lasting, in effect there the accused has made infringement a business.
I am fairly sure that password sharing itself would not be copyright infringement under US law, but might well be a violation of the Computer Fraud and Abuse Act (CFAA). But using a shared password to access protected content without authorization might be infringement, if a copy of the content is made. Sharing a password knowing that it will be so used is probably a violation of the anti-circumvention provisions of the DMCA, which has been incorporated into Title 17, the US copyright law. But that normally leads to civil liability.
