password_hash() - because it does everything without leaving anything for you, the coder, to do wrong. it automatically generates salt, uses the best hashing-algorithm available to your current PHP-installation and is easy to use, while
password_verify() is backwards compatible, no matter what hash may have been used in an earlier version.
also, i don't know about SHA1, but MD5 definitely isn't cryptographically secure anymore for years. meaning, in short, that you cannot reconstruct a password from it, but an educated attacker could.