[aidenn0]

I already asked in the comments of the original article how many rounds of sha1 are used. SHA-1 still isn't the best, since it yields to FPGA attacks, but a single round can brute-force all 8 character passwords in less than 2 days on a GPU. My guess is that 10k rounds of sha-1 would probably not be feasible for non-dictionary attacks without specialized hardware.

[noarchy]

GPUs that Bitcoin miners would certainly have around. Not saying that this is what happened, but it got me wondering.

[clarkmoody]

The article mentions salted SHA-1, which is much more resistant to attack.

Obviously, more rounds and unique salts per user would yield better results, regardless of the hashing scheme employed.

[pork]

You can salt all you want, but an 8 character password with a single round is going to fall very, very fast. Salt, being public, has nothing to do with it.

[mappu]

It does however mean you have to spend two days per password, rather than two days for the entire user base, or ten minutes with a pre-existing lookup table.

[getsat]

No, consumer GPUs can do almost a billion SHA1 hashes per second now. We're talking seconds to minutes for "complex" passwords, not days.

http://codahale.com/how-to-safely-store-a-password/