
  The plaintext passwords entered via the "Account Data" option in xisp
  are encrypted using the encrypt/setkey routines. Since this requires a
  key kept inside the executable, someone having access to the source
  can potentially decode users' .xisprc entries and obtain plaintext
  passwords for ISP accounts. Since the .xisprc file is created as
  readable only by its owner, this is not very likely, but nevertheless,
  in the interest of enhancing the security just a bit more, the
  administrator installing xisp is urged to change the key saved in the
  pkey[] variable, in pcode.c. The key saved there has been already been
  scrambled by XORing it with 0xFF so that the key string is not
  traceable in the xisp binary. In order to change the key, pick a
  string of 8 characters, XOR them with 0xFF and place them in pkey[].

  The above is by no means a "secure system". It will deter the
  "professional user" but not your average "amateur hacker" ;)  But
  that's OK given the scope of this package. The requirement was basically
  to keep plaintext passwords from appearing in the .xisprc file. Anyone
  is welcome to come up with something better (perhaps even more portable)
  and contribute it to the package :)

  As of version 1.9 PAP support was added by using the +ua pppd option.
  This requires that pppd has access to a simple file containing the
  username and plaintext password. To this end, a temporary file called
  .xisppap is generated by xisp in the user's home directory just prior
  to launching pppd, and is deleted when pppd reads its parameters and
  forks to run in the background. Thus, the file remains in the
  filesystem only for the time between invocation and forking, which is
  about a couple of seconds on a lightly loaded system. It is created
  u+rw,go-rw (mode 600) of course :)

  Dimitri

