I'm really not sure you're talking about the same thing as, well, anybody else doing password security. Brute force incremental crackers (read: almost every password cracker ever written) don't attack the algorithmic strength of SHA1. They attack the complexity of the underlying passwords, using dictionaries, mutation functions, and statistics.
SHA1 is strong (at least in this application). Passwords are very, very weak.
SHA1 is strong (at least in this application). Passwords are very, very weak.