I have a legacy 2010 Pylons app I want to replace with a newer Django one.
In Django, it is my understanding that the Salt that is used in hashing passwords is the (I was wrong and corrected).SECRET_KEY in the config file. Correct me if I am wrong. Pretty easy to find.
Anyway, the company isn't keen on resetting everyone's passwords due to the different hashing algorithm used in Django. So I was going to change Django's to match the Pylons one, or find a way to decrypt the Pylons hashed ones, and re-encrypt under Django's.
Problem is I don't know where the Salt is in the Pylons application after looking through documentation and Googling it. Anyone have an idea?
There is no single way of using a salt in Pyramid (or Pylons). The implementation of storing / retrieving a password hash to a data store is left for the application code.
That gives you much freedom.
One way of doing it could be to reproduce the code in Django and continue using this as your hashing algorithm since it's probably secure. A quick fix or proof of concept could be to install django and import code from it (though I would personally copy-paste small parts of the code if the license permits it, or just rewrite it). The hashing part you need is probably less than 15 lines once stripped to its minimum.
Also, I don't recommend doing as suggested in the comments on your question: migrating passwords as users log in. Because you'll be stuck with old passwords forever and you'll have to keep the code to handle them, plus the new code to handle new passwords, plus the migration code.