For hashing functions, no ready analogy finds itself in the sphere of football or automobiles. The best we can do is to spill the actual facts.
Dear Boss,
In a perfect world, users would be security conscious, and never use the same (or even a similar) password for two or more different sites or services. In that perfect world, a password would have little value to an attacker. After compromising the user database and learning the passwords, those passwords would not be useful for gaining access to other systems.
In the real world, users re-use passwords, and so the secrecy of passwords mustcontinue to be guarded even when a system has been breached, in order to limit the damage.
Hashing helps to protect passwords, because the only way to obtain a password from the hash is a brute force computation which takes time. That computation will first break weak passwords which are short, or based on dictionary words and common phrases. It takes much longer to break strong passwords, but given enough time, those will fall too.
However, because it takes time to crack the hashed passwords, the users of the compromised system who tend to re-use passwords, or use similar passwords, will may have enough time to be warned and to change their passwords on other systems, before the attacker tries to access their accounts. (Those with very weak passwords will have little or no time, unfortunately, because weak passwords can "cracked" from hashes very quickly. The defense against are safeguards in the system which prevent users from using weak passwords.)
Without hashing, the attacker can immediately move on to accessing other systems after stealing the passwords from the compromised system. By the time the administrators even learn about the breach, other systems have already been accessed, at least for those users who re-use passwords.
There is a second threat: that of surreptitious access. This affects even those users who do not re-use passwords. Suppose that the password database of a system is leaked, but this event goes undetected. The attacker can use the passwords to surreptitiously access the system for months or years after the breach. Not only has the attacker stolen information which had been current at the time of the incident, but can continue to steal information simply by logging in to those accounts for which he has passwords, for as long as those passwords do not change.
Hashed passwords help guard against this threat, in particular when combined with a policy of regular password changes and strong passwords. Hashed passwords which are strong ensure that the attacker has to perform a lengthy computation in order to discover a password from the hash. The password change policy helps ensure that by the time this computation is done, the discovered password is probably useless because it has been changed.