If knowing one's sources is a good thing, then you should know that Spencer is the 500th entry in the list of most-cited scientists on climate change and Christy is the 747th (see http://www.eecg.utoronto.ca/~p...). Personally, I pay more attention to the more cited individuals.
An attack like that would require installation of a keylogger. I don't recall any evidence that such a system can be installed remotely (though I don't discount the possibility). I suspect, however, that an attacker sufficiently motivated to install a keylogger would not be deterred by the necessity of installing it on another device.
A brute-force attack on a password safe that's been encrypted using AES 256 with a 256-bit key is not feasible. I don't understand your point about divulging a password. Why would one do that? Also, the access code to a hardware device would seem to have the same vulnerability. Why would it matter if the key is entered into a program running on a laptop rather than into a program running on some other device?
KeePass uses AES 256 encryption and my master password has about 256 bits of entropy. Even Bruce Schneier says to trust the math.
How does this differ from using KeePass and keeping the password safe on Dropbox?