Imagine the following situation. We're making a web application which should be really safe
Now the accounts/users are not directly added by us but they receive a letter with a logincode. We get a file every now and then containing an unsalted SHA-1 hash of this logincode, and some other really basic info.
Considering SHA-1 is now a days seen as a liability, and the software generating these hashes is not under our control (it's also probably old software not capable of better hashes)
Would it be a solution to hash the received hash using Bcrypt. This should fix the problem of it being unsafe/too fast if i'm correct? Should I also add a pepper?
Are there any other problems i might have missed? Or should we push back the problem and have them fix their software for better hashing functions?
Clarification:
Our client is an employee of a company and needs approval for this project.
The third party made a system for the company of our client that handles sensitive information about the customers of our clients company. They want to give some of their customers the ability to login to our application, this has to happen through their system because that's what the employees of our customer know and if they would have to add users manually in our application our client would not get approval.
Also if there is any leak or breach (even though technically we have 0 access to any sensitive information, even in our own application there is no name or any identifying info about the user) this could still attract unwanted negative attention that would hurt both the client and us.
Problem is, the system the third party made can only do unsalted SHA-1 Hashes. So my question is to try and see if we can work around this. Or if we are forced to tell my client to force the third party to implement a better hashing system, which they might just say answer with no we don't want to. Or it might cost a lot more money.
I hope i explained it a bit better while still being vague. :)