There are various reasons why a char array rather than a string should be used to store passwords. The following are a few of them:

• Strings are immutable: The content of Strings cannot be modified/overwritten because any modification will result in the creation of a new String. As a result, we should always save sensitive DATA like passwords, Social Security NUMBERS, and so on in a char[] array rather than a String.
• Security: Because String is immutable, storing the password as plain text keeps it in memory until it is cleaned up by the garbage collector. As string uses SCP (String Constant Pool) for re-usability of a string, it's possible that it'll remain in memory for a long time, and anyone with access to the SCP or memory DUMP can simply identify or retrieve the password in plain text. That's another reason why we should use an encrypted password instead of plain text.
• Logfile safety: With an array, the data can be erased or WIPED up, overwritten and the password will not be present ANYWHERE in the system. Whereas, when using plain String, the chances of mistakenly printing the password to monitors, logs, or other insecure locations are substantially higher.