So far I know a few things about the in-database password based authentication in FOST.3™¹ [1FOST.3™ supports a few other authentication schemes which are more secure.]:
As Thomas Ptacek says, the scheme used makes rainbow table attacks useless, but it does nothing to stop brute force attacks on weak passwords (despite what Jeff Atwood thinks).
What nobody seems to have discussed so far is what you put in the cookie. I think that an extra round of SHA1 would be good (maybe with an extra salt and possibly including the IP number in the hash), but I suspect a random string might be better (although getting a true random string from a computer is not easy).
What I do know for sure though is that although I'm not qualified to come up with a proper scheme, the current practice of putting the password in the cookie is an awfully bad idea.