The crucial difference between using String, and using char[], is that the String cannot be changed after we are done using it, while the char[] array can be changed once we are done using it.
So it's not *just* changing from String to char[], it's *also* clearing the character array after we are done using it, so it doesn't stick around in memory unnecessarily. Here's a more detailed explanation: http://securesoftware.blogspot.com/2009/01/java-security-why-not-to-use-string.html thanks, bryan