
  The plaintext passwords entered via the "Account Data" option in xisp
  are encrypted using the encrypt/setkey routines. Since this requires a
  key kept inside the executable, someone having access to the source
  can potentially decode users' .xisprc entries and obtain plaintext
  passwords for ISP accounts. Since the .xisprc file is created as
  readable only by its owner, this is not very likely, but nevertheless,
  in the interest of enhancing the security just a bit more, the
  administrator installing xisp is urged to change the key saved in the
  pkey[] variable, in pcode.c. The key saved there has been already been
  scrambled by XORing it with 0xFF so that the key string is not
  traceable in the xisp binary. In order to change the key, pick a
  string of 8 characters, XOR them with 0xFF and place them in pkey[].

  The above is by no means a "secure system". It will deter the
  "professional user" but not your average "amateur hacker" ;)  But
  that's OK given the scope of this package. The requirement was basically
  to keep plaintext from appearing in the .xisprc file. Anyone is welcome
  to come up with something better (perhaps even more portable) and
  contribute it to the package :)

  Dimitri

