Martin Kobetic pointed out that my usage of RC4 wasn't safe. I quote:

"It's nice and simple, but it violates one important rule. Never ever
reuse a key with a stream cipher. Otherwise xoring two ciphertexts will
eliminate the keystream and yield a simple xor of two plaintexts, which,
depending on how unlucky you are, is anywere from trivial to reasonably
simple to break. Either way nowhere near the difficulty of breaking SHA1
 or RC4."

The current version, now also on SqueakMap, should fix this by adding
a random seed to the password before its use. A tests shows that
encrypting the same data with the same password multiple times results
in different cyphertext.

The API is the same so my Seaside and MC patches are still valid. Old
keyrings are upgraded when rewritten.

The only todo I can think off at this point is to make the location of
the external file configurable, so you can stuff it on a USB key (an
excellent suggestion, Chris!).

Happy hacking,

Cees