The technical importance of hashing is vastly overstated.
The practical reason you need to hash is because everyone else does it; it is considered "best practice". If you have a breach, it is much easier to defend a position where you are doing the same as your peers. Doing something different, even if it's the right thing, is much harder to defend. So I always advise websites to follow the standard hashing method, even though I think it's baloney.
So why is the importance of hashing vastly overstated? Lets start by thinking about a website with non-hashed passwords. The passwords would be stored in plaintext in the database. The database is secured - on a physically secure server, full disk encryption, firewalls, secure administration, and it is protected by the application logic on the web server. Those passwords are basically secure.
Why do we hash at all? It provides a last line of defence. Suppose all those defences where thwarted. Perhaps the NSA have used a zero-day browser exploit to get malware on the sys-admin's workstation, waited for him to login to the database, and from there taken remote control, and extracted all the data. In that case, the NSA gets all the plaintext passwords. And this is where hashing helps: if you use hashing, the NSA only gets the hashes, and they would have to conduct a brute force attack to get the passwords.
And that's why people recommend hashing. But this is flawed for three reasons:
Personal data - the web site holds your passwords, and it also holds personal data. Whether it's messages, photos, shopping history. The reason you have a password in the first place is to protect your personal data. Hashing may protect the password, but it does nothing to protect your personal data.
Live capture - while there are only hashes stored in the database, every time someone logs in, their password is sent to the web server. The NSA can silently sit on the server capturing everyone's password. Hashing does nothing to prevent this.
Password reuse - It is important to avoid password reuse for other reasons. So, when LinkedIn is hacked, it hardly matters whether they get my password or not. The hackers already have my personal data from LinkedIn. And if they recover my password, it gets them access to LinkedIn only, and they already have that data.
Given all this, the benefits of password hashing are marginal. I don't know why the InfoSec community goes on and on about password hashing, it would be far more sensible to focus on preventing database breaches in the first place. In general, the costs of hashing are relatively low, but there is one exception: heavily iterated hashes. The technical cost of this is high, and the benefit is low, so this advice is quite badly misconstrued. Still, I have to advise people to follow it, because it is "best practice".
