char[] preferred over String for passwords in Java. Why is that?

I was advised by many forum members and some of my colleagues not to use Strings to handle passwords in Java. They recommended using char[]. But they never explained why. Can someone please explain why is that?


  • Following is a quote from Java Cryptography Architecture guide.

    It would seem logical to collect and store the password in an object of type java.lang.String. However, here's the caveat: Objects of type String are immutable, i.e., there are no methods defined that allow you to change (overwrite) or zero out the contents of a String after usage. This feature makes String objects unsuitable for storing security sensitive information such as user passwords. You should always collect and store security sensitive information in a char array instead.

Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


In this Discussion