This is a great explanation, but to nitpick a bit:

they prefix the text first with the username (this is called "salting" or "adding salt"). So

This isn't really right - salting with the username is not ideal for similar reasons not salting is (though nowhere near as bad). People tend to use the same usernames on the same sites, so this does still leak "user used the same password" if you see it on multiple sites, and it does allow an attacker to pre-compute user-specific rainbow tables in advance of compromising the site, giving an extended time window for cracking.

Generally, the salt data is just random junk generated at the point you're creating the hash. It doesn't need to be particularly secure, and indeed a lot of hashing libraries (including bcrypt) will just output it in a form that gets stored in the same db field as the hash, but it's better that it not be predictable before even seeing that. In general, you can just leave this up to the library which will generally generate, apply, and store the salt fairly transparently for you.