Why is it a good idea to use a key file instead of a password? Any malware I catch could use the key file to access all my passwords or is there something I'm not understanding?
I'd recommend both, keepass supports that. Keepass supports using a secure desktop to prevent keyloggers[1], but you never know with some of the usb keyboard exploits[2], and good old fashioned looking over your shoulder. While keepass has protection against dictionary attacks[3], why not use a keyfile? you can put it on a flash drive, and now noone can access your passwords without that usb key. (obviously make sure you have multiple copies of your keyfile :)
I would personally use a combination of both. If you keep the key file on a USB thumb drive that you only insert when you need to unlock your files I guess it works out well then.
I use a combination of password and key file so that I can worry less about someone shoulder surfing or otherwise observing the input of my password.
My password database is stored on a USB key that I carry with me, with a regular copy made and securely stored.
Key file is stored on devices I use, in a directory restricted to my own access and on a drive which is encrypted. An encrypted copy is also stored on the USB key with the password database; this can be decrypted using a GPG, key stored on a yubikey and also carried; if a device can be trusted enough, this is how I move the key file around.
Access to the database requires 3 things rather than two. A long passphrase could be recorded by an observer, who could then take my USB key. The key file ensures that they still do not have all that they need.
