Why to use char[] array over a string for storing passwords in Java?

Strings are immutable: Strings are immutable in Java and therefore if a password is stored as plain text it will be available in memory until Garbage collector clears it and as Strings are used in String pool for re-usability there are high chances that it will remain in memory for long duration, which is a security threat. Strings are immutable and there is no way that the content of Strings can be changed because any change will produce new String, while if you use a char[] you can still set all the elements as blank or zero. So storing a password in a character array clearly mitigates the security risk of stealing a password. With an array, the data can be wiped explicitly data after its work is complete. The array can be overwritten and the password won’t be present anywhere in the system, even before garbage collection. 2. Security: Any one who has access to memory dump can find the password in clear text and that’s another reason to use encrypted password than plain text. So Storing password in character array clearly mitigates security risk of stealing password. Java itself recommends using the getPassword() method of JPasswordField of javax.swing which returns a char[], instead of the deprecated getText() method which returns passwords in clear text stating security reasons. It’s good to follow advice from the Java team and adhere to standards rather than going against them.

  1. Log file safety: With an array, one can explicitly wipe the data , overwrite the array and the password won’t be present anywhere in the system. With plain String, there are much higher chances of accidentally printing the password to logs, monitors or some other insecure place, char[] is less vulnerable.
public class Password
{
public static void main(String[] args)
 {
String stringPwd = "security";
  char[] charPwd = new char[] {'s','e','c','u','r','i','t','y'};
  
  System.out.println("String password: " + stringPwd );
  System.out.println("Character password: " + charPwd );
 }
}

OUTPUT

String password: security
Character password: [F@24de5621]