What's wrong with scrypt ~100 ms corresponds to 32 MB memory usage on current server hardware We could afford more RAM on dedicated authentication servers OTOH, in crypt(3) used by a Unix system distribution by default, even a few megabytes per thread might not be universally affordable (think VMs) At 1 ms, memory usage is so low that bcrypt is stronger Time-memory trade-off benefits attackers with GPUs Can be fairly easily defeated, but then it's not official scrypt A single instance of Salsa20/8 might not contain enough natural parallelism to fully use a modern CPU core's execution units In scrypt, only high-level parallelism is tunable