You missed the part about pepper. Pepper is something that’s added, like salt, but that isn’t stored with the password. A low security version of this is an environment variable, but it could also be a secure hardware device on the machine.

So it’s more like this:

• “p@ssword” + “hakf” + “pepper” -> “hifbskjf”
• “p@ssword” + “jkjh” + “pepper” -> “gaidjshj”

If an attacker only has the salt, they’ll “crack” the password into something that’s not the original password: brute_force(“higbskjf”, “hakf”) - > “kdrnskk”. The idea is that it might take a few days for the attacker to recognize the error, and by then the security team has already responded and locked the backdoor.

Even if the passwords are peppered, users should assume their password is compromised and change them. But peppering may prevent a cascade effect from reused passwords.