to add, a server admin can manually rotate the salt to a known value allow a user to use an old password, and rotate to a new random salt immediately after… and the admin wouldn't ever have to know the password.
it's clear this triggered the crowd.
believe what you want. seems pretty unlikely that it wasn't authentic.