Why is char[] preferred over String for storing passwords?

Yes, Storing password in String object is not safe for following reasons −

  • String objects are immutable and until garbage collected, they remain in memory.

  • String being plain text can be tracked in memory dump of the application.

  • In log, String based password may be printed which can cause a problem.

Char[] can be cleared or wiped out after the job is done.