can someone tell me why is char[] preferred over String for passwords?

Question

In Swing, the password field has a getPassword() (returns char[]) method instead of the usual getText() (returns String) method. Similarly, I have come across a suggestion not to use String to handle passwords.

Why does String pose a threat to security when it comes to passwords? It feels inconvenient to use char[].

Answer 1

Strings are permanent. That implies once you've designed the String if another method can drain memory, there's no space (apart from reflection) you can get relieved of the data before garbage collection thrills in.

Amidst an array, you can explicitly clean the data after you're done with it. You can overwrite the array with anything you wish, and the password won't be existing anywhere in the system, also before garbage collection.

So certainly, this is a security concern - but still using char[] only decreases the window of possibility for an attacker, and it's only for this particular type of attack.

 it's possible that arrays remaining moved by the garbage collector will move stray copies of the data in memory. I think this is implementation-specific - the waste collector may clear all memory as it goes, to bypass this sort of thing. Also if it does, there's still the time through which the char[] contains the actual characters as an initiative window.