I'm a little nerd-sniped by the callout over using SHA-1; SHA-1 is broken in a way that has nothing to do with password storage security (they're not using a password KDF at all, so the thrust of the complaint isn't wrong, and no sane person would use SHA-1 to build a new password KDF in 2019, but still!)