What's wrong with scrypt

~100 ms corresponds to 32 MB memory usage on current server hardware - we could afford more RAM
At 1 ms, memory usage is so low that bcrypt is stronger
Experiment: in the reference implementation (the one with SSE2 intrinsics, running on x86-64), reduce the number of Salsa20 rounds from 8 to 2
Result: only ~2x increase in memory usage at the same duration
Time-memory trade-off benefits attackers with GPUs
Can be fairly easily defeated, but then it's not official scrypt