From time to time, a thread will popup about the best strategy for online passwords. Invariably, the discussion will devolve into the xkcd comic approach versus random characters. Also, password protection programs such as KeePass will be mentioned for those that don’t wish to use the same password on each site.
Why is it (or is it?) assumed that password programs are safe? Wouldn’t it be trivially easy for the creator of such a program to insert malicious code that would upload the user’s password file whenever they wanted it? When someone wants to put a program on a site like Download.com, is the source code reviewed and re-compiled or are only the executables uploaded?