character array is preferred while storing password
Strings are immutable and get stored in heap memory once created, by taking dump of memory one can easily access the passwords stored in it and there’s no way to destroy this data before garbage collection get performed.
But from an array the data can be easily be wiped out. You can overwrite the array with anything you like, and the password won’t be present anywhere in the system, even before garbage collection.
So because of this security concern arrays are preferred over String reduces the chances of attack from outside the system.