This is a preference purely based on security reasons. A String, after having a value assigned, will stay in the String Pool in the memory until Garbage Collection occurs. Depending on certain factors, garbage collection may take some time before occurring. Compared to a character array, a String will take a longer time to be deleted from the memory and anyone having access to this memory dump can extract that in String in cleartext form. In the case of passwords, this can be disastrous.
Character Arrays can be set to blank the moment the usage of the cleartext is finished and are way more secure than Strings as they don't rely on implicit garbage collection.