The hashing algorithm is guessable, but this is not the way how you can secure your passwords in the database. If somebody can steal your entire database, then I assume the problem is much wider in your system as you think, and he will got your source code as well... From there it is not a long step to find the hashing algorithm you use.

What you should really do is using a real password hashing algorithm, which is intentionally very slow. So forget sha1 or md5, and use bcrypt (if not possible, than use the previous ones with salt and with the currently recommended iteration count).

The hashing algorithm is guessable, but this is not the way how you can secure your passwords in the database. If somebody can steal your entire database, then I assume the problem is much wider in your system as you think, and he will got your source code as well... From there it is not a long step to find the hashing algorithm you use.

What you should really do is using a real password hashing algorithm, which is intentionally very slow. So forget sha1 or md5, and use bcrypt (if not possible, than use the previous ones with salt and with the currently recommended iteration count).