Re: Not really correct
From my long term storage memory, I seem to recall it works like this (using MD5, yes, really long term storage....)
Website asks "what do you want your password to be?"
You input "password"
Server gets "password", adds some salt, then hashes it into MD5. It then stores the MD5 and salt in a database (except where the salt is hard coded), so now your password is b305cadbb3bce54f3aa59c64fec00dea (passwordsalt).
You visit the website the next day, it asks "what is your password?"
You input "password", the server adds the salt and hashes the password then checks the result.
If the result is b305cadbb3bce54f3aa59c64fec00dea then you enter, if the result is not b305cadbb3bce54f3aa59c64fec00dea then "password incorrect", this way the website never knows your password.
Now, imagine that saltpassword produced the same hash as passwordsalt (it doesn't, but imagine), if you go to the website and put in saltpassword, the server doesn't know it's the wrong password, all it knows is the result of the hash, the result causes a collision and the password is accepted.
Also, yes, 1,000 years is an underestimate, the possible number of combinations for a 15 letter Upper/lower/numeric password is 62^15 =768,909,704,948,766,668,552,634,368. In 2012 a rig could brute force 348 billion passwords per second so to guess that password would take 70,063,123 years, roughly.