Encryption In OpenSource?

Millennium asks: "I'm working with some people on developing an Open-Source ICQ client. We're trying to decide how best to store the user's password in a file, should the user elect to do so. We thought about encrypting it, but I see a potential problems. So my question is this: How do you encrypt a password file in an Open-Source app, when the idea is to enter the password only once?" Millenium brings up some good points, so if you are thinking about building encryption into your apps, you might want to check this one out. Click below for more information... Millenium's list of potential problems, in his own words:

• If you use a hardcoded key, everyone can get it because the application is Open-Source and you have to code the key somewhere; that defeats the purpose of encrypting the password.
• If you have the user create a key and reenter it each time they start the program, you've defeated the purpose of storing the password.
• If you base it off of some data unique to the machine (the MAC address is an example, or perhaps there's a good use for the PIII serial number after all), then you can't transport the file between two machines easily (though an "Export Userlist..." command would be doable, I suppose).

There is a simple way around this one: timings. Ask the user to type a series of keystrokes and just time the difference between keypresses to create a random sequence - Instant random data source. Now that's just one solution (and possibly not even a good one), so does anyone else out there have other ideas?