[masklinn]

> AFAIK the only thing it protects you from is generic malware that scans process memory for passwords.

Apparently it doesn't even do that: https://www.securityevaluators.com/casestudies/password-mana... (section Keepass)

Possibly because keepass uses the wrong flag? https://docs.microsoft.com/en-us/dotnet/api/system.security.... seems to say that the memory segment can be decrypted by either:

* all processes running on the box

* all processes owned by the same user

* only this process

Alternatively, might be because C# and the memory protection primitives don't prevent the GC from copying its data out of the protected area? IDK

edit: ah, or they might be using ProtectedData rather than ProtectedMemory, that only has the "same machine" and "same user" levels of protection: https://docs.microsoft.com/en-us/dotnet/api/system.security....