Would a "master password" (a la Firefox/Thunderbird) be the way to go (as input to an encryption routine)?

It seems like any credentials that can be automatically used after a program loads without the user authenticating are at risk for malware harvesting.