Hi Jim,

I am using MultiBit-0.5.8beta, and generally I am having a great experience using it.
Thank you for developing this awesome client.

I think I already mentioned the following in an earlier post, but want to get some update:

When creating a new wallet (or when starting the first installed version) MultiBit creates one address.
The wallet by default is unencrypted, so the private key for this first address in the wallet will be stored unencrypted in the filesystem.
At this time, malicious software on the computer would be able the seize the private key.
Therefore, I consider this private key and the corresponding public address to be insecure.
Even if later on you encrypt the wallet, the private key for this first address might already be compromised and could some months later be used by an attacker to seize the bitcoins stored at this address.

This behaviour I find especially troublesome due to the following reasons:
I. Change is sent back specifically to this first address. It can happen that large amounts are stored in this address due to this behaviour.
II. Now that MultiBit is the #1 recommended client on bitcoin.org for novice users (congratulations!), many people are using this client and more to come. This makes it a bigger target for attackers.

How do you want to close this tiny (but nonetheless existing) security hole?
Will there be a version without the first address generated by default?

Thanks again for all your efforts.