The Drupal Security Team received report of weak encryption in the XMPP Framework module and upon review it was determined that the issue could be made in public as there is no direct exploit in the code. Excerpts of the report follow:

Version DRUPAL-6--1-2 and earlier of the xmpp_user module (included with
xmppframework at http://drupal.org/project/xmppframework ) captures and
stores the Drupal user's password during user login. It then stores the
password with a cypher in another table. The cypher is not configurable
by an administrator, making it relatively simple for a user with PHP
access or someone gaining access to the database to reverse that into a
plain-text format.

I would recommend one of the following courses of action (from least
secure to most secure); there may be other options:

1) Put a notice on the project page that user passwords are captured and
encrypted for use by the XMPP Framework module.
2) Allow the administrator to set the cypher as a variable, either as a
admin setting (suboptimal, as the cypher would also be in the database)
or in $conf in settings.php (more optimal, which would make it slightly
more difficult to decode the passwords, assuming the setting were
configured properly).
3) Do not capture the password, and instead create a unique password for
a user for use by XMPP Framework, perhaps with an md5 of the time(), or
even set up a unique password per session, which would make the module
highly secure.

>From
http://drupalcode.org/viewvc/drupal/contributions/modules/xmppframework/...
:

/**
* Implementation of hook_form_alter()
*/
function xmpp_user_form_alter(&$form, $form_state, $form_id) {
if (variable_get('xmpp_user_store_login_password', FALSE)) {
switch ($form_id) {
case 'user_login':
case 'user_login_block':
$form['#submit'][] = 'xmpp_user_login_block_submit';
break;
}
}
}

/**
* Retrieve the user password so we can store it
*/
function xmpp_user_login_block_submit($form, &$form_state) {
if (variable_get('xmpp_user_store_login_password', FALSE)) {
global $user;
$password = xmpp_user_encrypt_password($form_state['values']['pass']);

// Updating the user password we have stored in the system so the user can log into the chat client
db_query("UPDATE {xmpp_user} SET password = '%s' WHERE uid = %d", $password, $user->uid);

// ...
}

/**
* Encrypt the user password for saving in the system
*/
function xmpp_user_encrypt_password($password = NULL) {
if (!is_null($password) && drupal_strlen($password)) {
return strtr($password, '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklm nopqrstuvwxyz', 'fo2gFeBMQ45Vl3sDp1HGTYbz7vWdikU86taqSPE0muZOj9cKr xRLnJXhwyCIAN');
}
return NULL;
}

/**
* Decrypt the user password for usage by the system
*/
function xmpp_user_decrypt_password($password = NULL) {
if (!is_null($password) && drupal_strlen($password)) {
return strtr($password, 'fo2gFeBMQ45Vl3sDp1HGTYbz7vWdikU86taqSPE0muZOj9cKr xRLnJXhwyCIAN', '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklm nopqrstuvwxyz');
}
return NULL;
}