What only people will not come up with to not use KeePass .
UPD: And now to the point:
When unpacking a file from an archive (even when using the integrated viewer from the archiver's GUI), the unpacked file is written to disk in open form. If the archiver process is killed at this point, the file will remain on disk. Even if you definitely manually delete it later, it still remains possible to restore it, and it is not known how long its remains can be found on the disk, it can be years. The only thing that can help is the means of guaranteed erasure (of the file and free disk space). But their use further complicates the process of extracting passwords, and therefore increases the likelihood of an accidental mistake.
In addition, all software running under the same user has enough privileges to read the contents of the clipboard at any time (theoretically, these privileges can be revoked, but most software is not designed for this and will crash with wild errors). Many keyloggers keep a very close eye on changes in the buffer, storing and sending all changes to the server costs them "cheaper" than taking screenshots. And even scripts on a web page can in some cases read from the buffer (depending on the browser and settings).

Today, there is only one secure login option: a token/certificate received when registering in a system with two-factor authentication via PIN.
But today it works on a tiny percentage of all sites...
by any programs, you can only use "auth-session-wrapper".
Those. create your own package-modifying proxy and specify your passwords to services: "login/password"->"URL","METHOD" links. Feel free to add USER-AGENT and/or other browser headers if you like.
And then, you access it from another PC with the transfer of headers one-to-one / exactly the same as this (console) PC when you press the LOGIN button with empty fields. Get information about the session, restore it on the console and... You are already logged in under your account without entering a password on your PC.
The main thing is that the wrapper PC is on the same internal network as the console one. Those. had the SAME external IP address as the console one. (because in some cases the session is tied to the IP address of its initiator)
If you are building a closed zone yourself , you can do it as follows:
1. You press the "Login" button and the system reads the current token from your browser / application , updates it.
2. Asks to confirm with a security key: through another channel (another domain, SMS, etc.). Those. for example, the system may open a window to another domain, where it will say: "Enter PIN to login for session 31337". For example, 4 digits: "4115"
3. After entering - the remote server checks the bundle received through two different channels: PIN + TOKEN + [time intervals / limits]
4. if everything is OK - it lets you into the protected zone (LC, etc. ).
I will add on the topic: the best protection of a personal API from unauthorized entry (from the server side): port knocking