I've been playing around with the HxD editor today, and it has a nice built in feature that lets you view the memory of another process. This gave me the idea to check whether Enpass was exposing your sensitive information in memory. I opened up the running Enpass process in HxD, and did a simple string search for one of my passwords. Surprisingly, I was able to find multiple occurrences of my password stored as a raw string in memory, even while Enpass was locked (without PIN enabled). I was also able to find secure notes, usernames, TOTPs, and other sensitive information that I was not even accessing in the Enpass window. I tried finding many different entries, and one time I found a JSON encoded string containing lots of sensitive data including passwords, which would make it especially easy for an attacker to dump the database. I understand that there are some cases where exposing the sensitive data in memory is necessary, but it is concerning to me that they lots of it seem to be littered everywhere, especially when unnecessary, and even after locking Enpass. Another thing to note is that HxD didn't even require UAC privileges to view the memory, which means this information is exposed to literally any other program running on your machine. Though I haven't attempted to, I think it would be quite easy to write a program to pull your passwords from the Enpass memory. Surely it is possible to encrypt the information in memory, and only expose it when displaying it on screen or copying it to the clipboard? Perhaps it would also be beneficial to clear the memory when you lock the database, with the exception of when a PIN is enabled?
Screenshot taken of HxD after locking the wallet: