A slow, per-user-salted KDF makes cracking and rainbow tables infeasible (CWE-916) — a single fast SHA-256 is mass-crackable on GPUs, reversible encryption means a key leak exposes every password, and one shared salt lets identical passwords be attacked together.
Official docs