[brl]

If your salt is 'short' you can still perform this attack.

Assume a timing oracle, which when queried with a plaintext password will return an integer which is the length in bytes of the matching hash prefix.

Choose a small prefix length (perhaps 3 or 4) and send distinct passwords to the oracle until you have more than one input password which produces the length you've chosen.

With this information you can perform an offline brute force of all possible salt values to reduce that set to only the salts which produce the correct matching prefixes when used with the passwords from the previous step.

Too many salts in this set? Test each one by generating a candidate password that has the same prefix as your test cases and then ask the oracle if it agrees that the prefixes match.

Once you know the salt, perform a dictionary attack against the partial hash you already know from guessing the salt to create a set of candidate passwords. If there are too many passwords to test them all, then generate a longer prefix. Either trying all the passwords or generating a prefix which is one byte longer than the last one is going to be a harder problem. Choose the easier of the two problems at each iteration.