I proposed HMAC just in order to avoid that there is some strange property about H(H(H(H(H(...))) probably not true for SHA1 and many other believed secure hash functions and block cyphers.
Btw another slow thing that can be used is Blowfish, as it has a slow key scheduling stage, but don't know if it's slow enough.
Another approach can be to take any Feistel Network based block cypher and turn it from M rounds to M*N rounds.
There are many ways to turn a secure cryptographic primitive into a monkey asses slow cryptographic primitive that seriously limits the effectiveness of brute force.
Bcrypt is a pessimized version of Blowfish. If you're working at this level of granularity, it should be for a research paper, not something people actually use.
Btw another slow thing that can be used is Blowfish, as it has a slow key scheduling stage, but don't know if it's slow enough.
Another approach can be to take any Feistel Network based block cypher and turn it from M rounds to M*N rounds.
There are many ways to turn a secure cryptographic primitive into a monkey asses slow cryptographic primitive that seriously limits the effectiveness of brute force.