Yes, much better.
Once you've got malware on your computer, you've lost already, game over. You need to prevent the infection in the first place.
This is exactly the thing that Google spent months trying to tell people when it was refusing to include password access to the password list. That extra password does nothing to increase security, and may be counter productive.
Talk like that can only mean that they know about the malware bundling.
Extremely interesting in combination with that quote of yours. Essentially: "the malware we install on your machine will get access to your passwords anyway."
Looks like Filezilla will not die a hero's death.
That being said, Base64 is woefully inadequate, just google 'base64 decode'; and this response (from someone who appears to be a contributor) is just not a defence.
I’ve thought about it for the last few hours, and decided that the best solution is to just use RSA in client.
And you could use a hardware key auth.
Like the German eID, where the key is signed by the government and on a special chipcard.
The software requests the card to sign, you need to type in your PIN on the reader itself, and the request will be signed with RSA.
The public key is world-readable on the card, so you can just send that to the server.
It seems like any credentials that can be automatically used after a program loads without the user authenticating are at risk for malware harvesting.