For the login you will need to apply sha1 formatting to the posted password value in the Authenticate User server behavior.
For the forgot password you will have to redo this part with a generate new password page instead. The idea is that the user indicates that they forgot their password and an email is sent with a password reset link. The user clicks on this link and a new randomly generated password is sent to them. On the page that sends it you need to store it in a session variable then encrypt the value and update the record in the db with it. In the Universal Email server behavior you will use the session variable that holds the unencrypted value.