After a lot of research about password manager and a lot of reference obtained from this discussion How safe are password managers like LastPass? I come to the conclusion that password managers have some really scary point of failure, if my machine or mobile device is compromised when I use my master password and the U2F key to unlock the password manager (I am thinking something like yubikey or nitrokey) then all of my password can be stolen, even the ones that I use the less (like amazon account with my Credit Card information saved).
Reading the discussion and other opinions I got the impression that everyone says "If you lose the security of your machine than you are already ******", but there are cases when that isn't really true, think about the password that I use only a few times per year, like from online stores but with my CC credentials, in the time from the begin of the infection and the time I use the password I could get rid of the malware (formatting, antivirus) or I could use the password on another machine and the malware never gets this information. With a password manager every password saved can be stolen.
So, I was thinking that the best way to use a password manager is to:
-never save critical password like bank account
-never let the password manager "open" (logged in)
-never use the autocomplete, even if the clipboard is another place unsecure and in this discussion tylerl had a point for the risk of fake sites Does the average user really need a password manager? But I read about some attacks via browser that can access even to other password without a trace, so better safe than sorry.
So reading the functionality for some of the most famous password managers, like lastpass or keepass, I was searching for a chance to decrypt only the single password needed, so if the machine is compromised only this password can be stolen. But it looks like it is impossible.
It's possible to add another layer of security?
What if I use an external drive to save the offline archive, with a different file system and encryption in read-only mode, that could help?
I know, I am a little paranoid, but when I am going to use some new software o practice I want to use the most secure and correct way to do it. So now I am confused and worried, I want a relatively simple way to access to my passwords but really difficult for others to get their hands on my data.
Sorry for my English