Category error: SHA-1 and MD5 are Digests, AES256 is a Cipher
SHA-1 and MD5 are used to Digest passwords. Digests are one way functions: you don't ever need the password back.
There is a reason for the confusion BTW: there are sound ways to use a Digest as a cipher, and vice versa, but the result is always less good (usually the computational advantage of the defender over the attacker is less) than a best of bread function designed for it's purpose, which shouldn't come as a surprise.
The arstechica article you link to might leave people thinking that the low cost of calculating a digest is a problem, which should be fixed by making the category error of using a cipher instead, but that's not the case: digests are designed to be collision resistant. You can prove that if a digest is collision resistant, then repeating the digest N times (I.e. digest then digest the digest, ...) is the cheapest way to arrive at that answer, so you can make an arbitrarily slow digest, given a collision resistant digest.
The problem is the way the digest is used. You can equally make the mistake of not salting the digest.
MD5 is not all that collision resistant, that's it's problem. SHA1 is not as collision resistant as it's designers thought, but no one has actually found one yet. By all means use SHA2, or SHA3.
More complicated schemes are harder to prove things about: an implementation may be slow, but without a proof that that's the cheapest way to get the answer, the scheme may later prove to be weak.
People bang on a lot about how GPUs are being used to crack passwords, but attackers and defenders have access to GPUs to calculate digests, and because hackers benefit from economies of scale, they will always use commodity hardware.