Since you keep referring back to that stackexchange link, some quotes from the man himself:
Quote
As everything is done using javascript in the site is particularly vulnerable to browser exploits including malicious browser extensions. Modern web browsers are much more secure than the internet explorer 6 generation.
Quote
If our servers were compromised the attacker could theoretically alter the javascript files to intercept the users password next time they login. For this to be effective the attack would have to go unnoticed for an extended period of time.
10 Immutable Laws of Security.
Law #1: If a bad guy can persuade you to run his program on your computer, it's not solely your computer anymore.
Law #2: If a bad guy can alter the operating system on your computer, it's not your computer anymore.
Law #3: If a bad guy has unrestricted physical access to your computer, it's not your computer anymore.
Law #4: If you allow a bad guy to run active content in your website, it's not your website any more.
Law #5: Weak passwords trump strong security.
Law #6: A computer is only as secure as the administrator is trustworthy.
Law #7: Encrypted data is only as secure as its decryption key.
Law #8: An out-of-date antimalware scanner is only marginally better than no scanner at all.
Law #9: Absolute anonymity isn't practically achievable, online or offline.
Law #10: Technology is not a panacea.
What is Two-Channel Auto-Type Obfuscation?
The Auto-Type feature of KeePass is very powerful: it sends simulated keypresses to other applications. This works with all Windows applications and for the target applications it's not possible to distinguish between real keypresses and the ones simulated by Auto-Type. This at the same time is the main disadvantage of Auto-Type, because keyloggers can eavesdrop the simulated keys. That's where Two-Channel Auto-Type Obfuscation (TCATO) comes into play.
TCATO makes standard keyloggers useless. It uses the Windows clipboard to transfer parts of the auto-typed text into the target application. Keyloggers can see the Ctrl-V presses, but do not log the actual contents pasted from the clipboard.
Clipboard spies don't work either, because only parts of the sensitive information is transferred on this way.
Anyway, it's not perfectly secure (and unfortunately cannot be made by theory). None of the currently available keyloggers or clipboard spies can eavesdrop an obfuscated auto-type process, but it is theoretically possible to write a dedicated spy application that specializes on logging obfuscated auto-type.
Enter Master Key on Secure Desktop (Protection against Keyloggers)
Note: KeePass was one of the first (maybe even the first) password manager that allows entering the master key on a secure desktop!
KeePass 2.x has an option (in 'Tools' -> 'Options' -> tab 'Security') to show the master key dialog on a secure desktop (supported on Windows ≥ 2000), similar to Windows' User Account Control (UAC). Almost no keylogger works on a secure desktop.
The option is disabled by default for compatibility reasons.
KeePass 2.x Only
Note that auto-type can be secured against keyloggers, too, by using Two-Channel Auto-Type Obfuscation.
In an effort to help this brilliant idea is nxt summarize my experience with the problem of security and key management.
first thing I did is get off free keepass program after analyzing several programs , being an open source program and enjoy a high reputation as a program.
then after reading a lot about the key generation choose to use absurd and nonsensical phrases formed by not less than 50 characters memorize words and 2 phrases from roughly 50 characters for the master password kee pass .
Install the plugin otpkeyprov keepass password and activate two factors to open kee pass with google authenticator in my android phone.
the first 50 characters of a sentence and the second sentence of 48 characters to activate google autenthicator 48 characters and match the standard b32 . the advantage of two-factor master password is nobody can not make all phishing password .
Within keepass generate passwords you want including accounts of nxt ( nxt also advise to memorize words and not less than 50 characters consisting of nonsensical words )
Enable tools options " change master key in a secure desktop " every time you open your account using automatic writing nxt
Enable automatic writing on the flap of each password " Obfuscation 2 channel automatic writing"
I hope you can help with these tips. in any case you can write me for any questions in kee pass and handle the "plug in" otpkeyprov .
Finally the technique of two-factor authentication for nxt client passwords would be a good option against phishing . I leave it open to discussion forum .
...
