Re: Pass the salt...
This is JV, the paper author.
Yes, indeed SHA-1 is broken. We don't use SHA-1 for storing the ACTUAL passwords. In fact, Asia Pacific College **DOES NOT STORE PASSWORDS AT ALL** (caps only to emphasize, not shout).
We manage to function despite not storing any password by simply off-loading that whole problem to Microsoft - we're a Microsoft Showcase School, and our single-sign-on back-end rely on Microsoft's Active Directory hosted on Office 365 (cloud). In effect, Microsoft's own infra, and none of ours, ends up storing actual passwords, in whatever form.
So what was the role of SHA-1 in the experiment? It was merely to be able to match Troy Hunt's list. He gave away a list of 320M (now 500M+) breached passwords. But to make sure that list is next-to-impossible to weaponize, he didn't release them in plaintext: instead, every password in that list has been transformed to its SHA-1 hash. So his list, ultimately, is a list of SHA-1 hashes.
On our end, then, when a user logs in, we just pass the password through Microsoft's single-sign-on API. For this research, we added an extra thing - after passing to Microsoft and getting a confirmation of user validity, that same password we just passed is hashed using SHA-1, then sent to our research infrastructure that hosts Troy Hunt's list of SHA-1 "passwords". If there's a match, we know the password is compromised, even though we never end up knowing what that actual password is.
I hope this clears it up. The confusion is understandable. The paper itself has this detail, but of course it's probably too technical to be included in the media article above.