Just so you know, every variant of SRP is randomized, not just SRP6, and every variant of SRP has parameters that can to some extent be tweaked to provide variable work factors.

That's cool, I had never heard of this.

How is the salt stored to make sure attackers won't just steal your salt anyway? Wikipedia says "the salt is stored along with the output of the one-way function" [1]. Does it means the server needs to store the salt for each user so it can authenticate the password?

[1] http://en.wikipedia.org/wiki/Salt_(cryptography)

As the defender, you don't care if the salt is obtained by the attacker. The salt is not a secret. It's only use is to ensure that each password is hashed as unique, even if the users chose the same password. Basically, it is for defeating precomputed databases (rainbow tables), nothing more.

You store a salt per user. Salts protect against rainbow table attacks. The salt doesn't have to be private for it to be effective at that task.

Every randomized password hash does exactly this; the randomizing nonce is tiny compared to the hash itself.