Things to consider while developing any web application : Part 1

Point 1 should be "allow people to login via Facebook/Twitter/Openid/etc if possible, and hash the password using bcrypt() otherwise". sha1 isn't going to slow an attacker down.