We need:

• users (anyone can join)
• administrators (administrators can appoint administrators)
• ability to reset passwords
• individual salts, and a proper password hashing algorithm
• preferably backing onto mongodb because that's where the data will be (this depends on me pushing the mongodb stuff into the repo soon.)
• preferably integrating a 3rd party, tested component because it's easy to make mistakes in these systems.

This is probably the way to go: http://cork.firelet.net

This is done on the auth branch, just need to merge it in, which I will do once the database that auth protects is not entirely useless.