Using pure SHA for passwords is almost equally bad as MD5, because the biggest problem with these algorithms is their speed (MD5 is completely broken when it comes to collision resistance, of course, but that's not the main concern with passwords). Instead, you should use functions like bcrypt or PBKDF2, which are purposefully built for passwords.