Why character array is better than String for String password?
In Java Strings are immutable and if one stores password in String it will be available in memory until garbage collector clears it. As the developer does not have control over Garbage Collector and string are created in String pool, there is high chance it will remain in pool for long duration.
Moreover any one who has access to memory dump can find the password as clear text.
Since String are immutable there is no way contents of String can be changed because any change will produce new String while in
char you can set it to blank or zero.