[tptacek]

I think most anyone who looks at KDFs probably both likes scrypt and also doesn't obsess too much about them. The problem with scrypt is that it doesn't have a lot of language bindings; you can get bcrypt anywhere.

Personally, I think any serious KDF is better than just using SHA1 (or SHA256, and note that the difference between SHA1 and SHA256 is not super relevant to SRP), so as long as you're doing something --- PBKDF1, PBKDF2, bcrypt, scrypt, hand-hacked 1000-iterations-of-SHA1 --- I'm happy.