That requires that you do something stupid to get a key logger installed on your machine. And yes, in that case you're screwed. However, you're far less likely to have that happen than some random site you're on getting hacked. You are one target, the site is thousands or millions.

Would be interesting to know if there's any research on the number of site compromises vs desktop compromises.

There are still plenty of computers out there that are probably running vulnerable versions of Flash/Java etc. I imagine one of the biggest incentives to hack some random blog is to infest it with drive -by malware and compromise a bunch of machines if it has high traffic.

Also if you have a keylogger on a machine you can look for things that might be site admin passwords. So it wouldn't surprise me if there was a relatively symbiotic relationship.

Out of curiosity, would a key logger be able to capture of the contents of a cut and paste? I currently use 13 character randomly generated passwords and, usually, I don't type them in manually.

If you're storing them in plain text, then they can grab them regardless.

If you're storing them in lastpass, then they can grab them regardless.

If you're storing it in an encrypted partition, then they can grab them regardless.

Once somebody has access, it's game over.

A hardware keylogger, sitting between keyboard and machine? No.

A software trojan, that can capture keystrokes, mouse movements, selected text, screenshots... Most certainly yes. :(