i think someone asked a similar question on this group recently, and there were some good opinions in that response thread if you can find it.
short answer (in my opinion): it depends on the database and your style. on GAE since you can't do joins i put all the info on the auth_user table. on mysql or postgres i tend to have a mixture that somewhat depends on the quantity of information. i also have grown to have no fear of adding columns to auth_user. cfh
