A password only 8 chars long can still be brute forced, salt or not.
Without salt, the attacker would make a guess, run the hash on the password, and compare it to the stored version.
With salt, the attacker would make a guess, combine it with the salt, and then run the hash and compare like before.
What salt does is prevent a shortcut. The attacker has a big list of passwords and their associated hash values. They grab the hash out of the leaked database, compare it to the list, and match it to the original plaintext. When the hashes have a salt, they would need to generate the list for every possible salt value. For a sufficiently long salt that’s unique to each password entry, that list would be infeasible to generate, and infeasible to store even if you could.
If your passwords were long and random enough, then it’s also infeasible to generate that list to cover everything. It really only works against dictionary words and variations (like “P4ssw0rD”).
There’s a model that id used for open sourcing their engines. The source code is open, but the assets (textures, models, sounds, etc.) are still copyrighted and you still have to buy the game to get them legally. This means the company still sells copies on Steam or wherever, and games that replace all the assets can still sell them without any licensing costs, too.
I’m a little surprised this model never caught on. Even id only ever published the engine to the previous game–Quake 3 was open sourced a little after Doom 3 was released–and the practice seems to have stopped when John Carmack left.
Possibly because nobody has tested it in court, or some other subtle legal issue?