Password stored in a Java String object exists in the memory until the process ends or garbage collector clears the memory
Password will remain in the free memory heap as long as the memory space is not reused. Hence, password stored in String objects are vulnerable to snooping as long as they exist in the memory
Password in memory can be moved to disk’s swap space when system memory is low. This makes the password vulnerable to disk block snooping
To protect passwords from such vulnerabilities, the passwords should be stored in char arrays and then cleared after use
Cheng® 