I understand that salts make the same password hash to different values. However, salts are usually stored in the database with the password. So let\'s say I am attacker,
That's correct. If someone got the password material, a dictionary attack would be effective.
To guard against this: