The salt isn’t kept with the database, so if you were trying to match a salt against a password, you would have to compare each salt against each password.

If one has the encrypted password, it is created in a one-way hash, so you still need to match every salt against every password possibility. Compare that to brute-forcing a password, and it is many, many times over more complex, thus making it infeasible.

From the example you give:

I make a rainbow table for all the possible salts and find the Time.now.utc that made the salt.

That isn’t how it works. You can’t derive the salt from the encrypted password, without also having the password. So, considering that time-stamps will take seconds into account, an attacker would have to choose when they thought your salt was created, but at 86,400 a day, for a range of days, against a dictionary of passwords, that starts inching up to infeasible. ^_^