wallet.dat contains your private key, yes. (I'll be elaborating on this in the next part, so stay turned!)
Some desktop clients let you password-protect your key. The encryption strength depends entirely on the strength of your password. http://www.passwordmeter.com/ can give you a good indication of your password strength. Any score over 50% should take a sufficiently long enough time to guess that the hacker will move on to the moron whose password is 'password'.
Want DP delivered to your inbox daily? Subscribe here: