I’m sure you’re probably safer just using a local file. If someone has total control of your system, then I imagine that they could wait until you open your password database to grab the data. I did eyeball Authentictor, and the 6 digit number resets after approximately 30 seconds. So I think that would take some serious computing power to crack that along with a long master password in 30 seconds. It would be nice if Google would add some letters and symbols, and maybe an extra digit or two, into Authenticator.

1Password uses PBKDF2, and LastPass was in the process of implementing it several months ago, to supposedly render brute force attacks ineffective by forcing pauses in brute force attempts. I don’t know enough about PNKDF2 to know if it truly neuters brute force attacks. If it does, then the real risk would be in the entry and transmission of the password, which Authenticator takes care of. That’s a big “if,” though.