Yes, Storing password in String object is not safe for following reasons −
String objects are immutable and until garbage collected, they remain in memory.
String being plain text can be tracked in memory dump of the application.
In log, String based password may be printed which can cause a problem.
Char can be cleared or wiped out after the job is done.