dfish3r
commented
4 years ago If an attacker has enough access to dump memory I think you have bigger problems.
One reason the password is stored as a string is that many rules depend on the String API. So much so that your attacker would likely find the password in memory regardless, even if this particular instance of the password was a char[].
That said, if you have a patch that demonstrates this change I'll take a look at it.
https://github.com/vt-middleware/passay/blob/49568154b621e3fd38e88df18f739b015f357033/src/main/java/org/passay/PasswordData.java#L29
String being immutable, anyone who has access to memory dump can read the password. This causes security concern.