The answer is... only marginally better than 37signals. Since the source code of the web site is available it's possible to dig in and find out how Paul Graham handles password authentication.
The good news is that he doesn't store passwords in plain text. And even better he uses a one-way hash function (SHA-1) to verify passwords. When you enter your password it is hashed using SHA-1 (he uses OpenSSL's implementation of SHA-1 to do the hashing) and then stored in a file called arc/hpw. When it comes time to verify a password the hash from the password file is read and compared with a hash of the password you typed in.
(def good-login (user pw ip)
(let record (list (seconds) ip user)
(if (and user pw (aand (shash pw) (is it (hpasswords* user))))
(do (unless (user->cookie* user) (cook-user user))
(enq-limit record good-logins*)
(do (enq-limit record bad-logins*)
(def shash (str)
(let fname (+ "/tmp/shash" (rand-string 10))
(w/outfile f fname (disp str f))
(let res (tostring (system (+ "openssl dgst -sha1 <" fname)))
(do1 (cut res 0 (- (len res) 1))
The good news is that this means that if arc/hpw were stolen a hacker wouldn't be able to read the password from the file directly. The bad news is that the file is readily attackable using a rainbow table. If you got access to his password file, the passwords within it (unless they were really, really good passwords) would be broken in seconds or minutes.
That's a pity since he could easily have implemented a salted hash and he would have had a first line of defense against a rainbow table. The current implementation is little better than a plain text password file.
Even better he could have swapped SHA-1 for a slow algorithm like bcrypt. With salted bcrypt rainbow tables are out of the window, as are password crackers that rely on running a dictionary plus salt through the hash algorithm.