this is my understanding too, even if someone breaks into the db and gets the list of salts and passwords, they can't use rainbow tables because of the "random" salts, so finding the plain text passwords becomes computationally too expensive to accomplish.