LinkedIn used unsalted SHA-1, had their passwords leaked, and within a month 90-95% of leaked passwords were cracked[1].
Admittedly LinkedIn isn't a critical application calling for people's most secure passwords - but it's evident that only 5-10% of users use passwords that take more than 1 month to crack when hashed with SHA-1.
Admittedly LinkedIn isn't a critical application calling for people's most secure passwords
People re-use passwords. Often it's not access to the LinkedIn account that's the problem, but that that same password will give you access to their email account, after that, you have everything.
Yes, you're right about that. I only included that proviso because I've seen people on HN report that, while they use a complicated, hard-to-remember password for important sites (gmail, paypal) they use weaker/easier to remember/reused passwords on less important sites (HN, reddit, facebook, linkedin).
Depending on how widespread this behaviour is, while 90-95% of linkedin passwords were easily cracked, that might not generalise to all sites.
Admittedly LinkedIn isn't a critical application calling for people's most secure passwords - but it's evident that only 5-10% of users use passwords that take more than 1 month to crack when hashed with SHA-1.
[1] http://securitynirvana.blogspot.co.uk/2012/06/final-word-on-...