The problem with charging people for password resets is that by making the process of resetting a password more expensive, you've now encouraged people to reuse passwords. People know when they sign up for your service that resetting a password is going to be expensive, so they'll use a password that they're sure not to forget, i.e. the password they use for everything else.

I would posit that even with this social engineering exploit, Google's two-factor SMS authentication is still more secure than charging people for password recoveries (and thus encouraging password reuse).

I seem to recall there were some services that charged a one-time small fee in the late-90s / early-2000s basically for that reason. But in the past 10 years most seem to have moved to requiring a mobile phone number as the hurdle instead. The idea is that it has some of the same deterrent effect for bad actors, since coming up with a steady stream of unused mobile numbers costs a nonzero amount, but produces less sign-up friction for legitimate users.

IMO it's not that bad, people are used to paying locksmiths that much when locked out of houses or vehicles.

> Charging $100 is pretty punitive

Not really, considering there is zero reason for anyone to ever lose a password assuming they are using a password manager. You could even make it free for the first few hours after the account is created or the password is changed in case the user pastes it into their password manager incorrectly.