Storing passwords in plaintext exposes every account the moment your database leaks. That's why passwords are converted to a hash before storage, and at login the hash of the entered value is compared. Since the original is never stored, even a leak doesn't immediately reveal the password.
But a plain SHA-256 hash isn't enough on its own. Because the same password always yields the same hash, an attacker can mass-match against a rainbow table of precomputed hashes of common passwords. To prevent this, you must add a random salt per account before hashing.
Speed is a problem too. SHA-256 is so fast that an attacker can guess billions per second. That's why passwords use deliberately slow, purpose-built hashes like bcrypt, scrypt, and Argon2. These let you tune the iteration count and memory cost to greatly slow down brute-force attacks.
In short, the three principles of password storage are salt + a slow purpose-built hash + a sufficient cost parameter. Plain SHA-256/512 is fine for file integrity and signatures, but for storing passwords use a dedicated algorithm like Argon2.