Why is char[] preferred over String for passwords? In Swing, the password field has a getPassword() (returns char[]) method instead of the usual getText() (returns String) method. Similarly, I have come across a suggestion not to use Stringto handle passwords. Why does String pose a threat to security when it comes to passwords? It feels inconvenient to use char[]. Solution: Strings are immutable. That means once you've created the String, if another process can dump memory, there's no way (aside from reflection) you can get rid of the data before garbage collection kicks in. With an array,