char[] preferred over String for passwords in Java. Why is that?

Jeson84

I was advised by many forum members and some of my colleagues not to use Strings to handle passwords in Java. They recommended using char[]. But they never explained why. Can someone please explain why is that?

DavidM

Following is a quote from Java Cryptography Architecture guide.

It would seem logical to collect and store the password in an object of type java.lang.String. However, here's the caveat: Objects of type String are immutable, i.e., there are no methods defined that allow you to change (overwrite) or zero out the contents of a String after usage. This feature makes String objects unsuitable for storing security sensitive information such as user passwords. You should always collect and store security sensitive information in a char array instead.