Here are a few reasons why char[] is preferred over String for storing passwords:
Security
Strings are immutable in Java, meaning once a String object is created, its value cannot be changed. This means the password remains in memory even after it's no longer needed.
Strings are also often cached by the JVM and can end up in various logs, dumps, etc. exposing the password.
char[] on the other hand can be overwritten with zeros after use, securely removing the password from memory.
Performance
Strings are more heavyweight objects compared to char arrays. Creating and destroying Strings has more overhead.
