Passwords are recommended to be stored in char[] instead of String, as Strings are stored in StringPool. Read more here

As per this question Strings in StringPool are not available directly. To obtain Strings in Stringpool, we would need a password-dictionary to check them in StringPool. If we have a password-dictionary, we don't need to worry about StringPool, we can anyhow try directly on password fields.

To prevent Brute-force attack we are limiting number of re-tries for passwords and checking for any suspicious activities.

If all that is in place still should we not use "String" as a datatype for passwords?

The answer obtained from similar questions is: We can have access to memory dump and get access to Strings in stringpool.

Follow up questions:

• How can one access the memory dump?
• Can the access be prevented?
• If access to memory dump is prevented, Is it safe to use String as a type for passwords?

Passwords are recommended to be stored in char[] instead of String, as Strings are stored in StringPool. Read more here

As per this question Strings in StringPool are not available directly. To obtain Strings in Stringpool, we would need a password-dictionary to check them in StringPool. If we have a password-dictionary, we don't need to worry about StringPool, we can anyhow try directly on password fields.

To prevent Brute-force attack we are limiting number of re-tries for passwords and checking for any suspicious activities.

If all that is in place still should we not use "String" as a datatype for passwords?

The answer obtained from similar questions is: We can have access to memory dump and get access to Strings in stringpool.

Follow up questions:

• How can one access the memory dump?
• Can the access be prevented?
• If access to memory dump is prevented, Is it safe to use String as a type for passwords?