"if the system is any good, it should be impossible to find out what password is actually used."
To test who uses "password", you create the hash and compare it to your stored hashes. Any matches are either "password" or a very unfortunate combination of characters that provides the same hash. With any good hashing function, this shouldn't happen...
This is why losing hashed/salted/"encrypted" passwords is such a big issue - they really aren't hard to crack relative to brute forcing them. Guessing the hash is relatively simple, the salt just stops you being able to easily pre-compute every single password and the rest is down to the resources at your disposal - a decent CPU/GPU combination with enough storage should have you cranking out billions of password hashes a second.