What is an attacker going to do with the hash? The attacker will try to crack it, to get the original password. As long as the user's password had at most 64 bits of entropy, it's just as easy to crack a truncated sha1 hash as a full sha1 hash. Truncating it has not harmed the attacker at all. The attacker doesn't care if it's a full sha1 hash or a truncated sha1 hash. The attacker just cares about cracking it.
>Why do you think that most passwords are just in the first 64 bits of a SHA1 hash?
I don't understand what you're trying to say. Are you asking why I think most passwords have less than 64 bits of entropy?
>According to one study involving half a million users, the average password entropy was estimated at 40.54 bits.
Why do you think that most passwords are just in the first 64 bits of a SHA1 hash?