What are the best practices for implementing authentication without doing it all from scratch?

It's totally acceptable to implement your own authentication as long as you understand what you're doing. Consider researching OWASP guidelines for insights on secure authentication practices. Building a small project to test out your own implementation can also provide valuable experience.

You can certainly roll your own authentication if you're careful not to create your own hashing methods. At its core, authentication can be pretty straightforward—you can generate a hash, store it, and compare it. Just remember, authorization can get a bit more complex, especially depending on your app's requirements.

Remember that "don't roll your own auth" doesn't mean you can't implement your own. It just suggests you should rely on established libraries where available. If you do decide to build your own system, make sure it follows basic security principles and practices.

The key point is to avoid rolling your own encryption, particularly for things like password hashing. Use established libraries such as bcrypt for this purpose. If you're looking for an all-in-one solution, services like Auth0 or Keycloak can handle all authentication for you. Alternatively, you can mix and match different auth libraries based on your needs.

When people say 'don't roll your own auth', they usually mean either to let a third-party handle your authentication entirely or to avoid creating your own cryptographic algorithms. Follow standard practices; use well-tested hashing algorithms and adhere to cookie and browser security guidelines.