Thanks! I didn't, but maybe I should have. I thought the API of scrypt.js would work well and don't think I came across anything better. I also figure scrypt is plainly better than PBKDF2; being designed from ground up for key lengthening and offering memory hardness. I figure bitcoin ASICs might be repurpose-able to attack PBKDF2; though I'm not sure if that's a threat, and I imagine it mostly somewhat applies to scrypt anyway because of litecoin and friends. If I were more worried I would have researched the default parameters more, I think this is 128- vs 256-bit territory.