...
Although this approach fixes the decryption problem from the previous noncompliant code example, at runtime this code may inadvertently store the passwords as cleartext. Java string objects are immutable and can be copied and internally stored by the Java Virtual Machine. Consequently, Java lacks a mechanism to securely erase a password once it has been stored in a String. See 02. MSC63-JG. Limit the lifetime of sensitive data for more information.
...
| [API 2011] | Class MessageDigestClass String |
| [Hirondelle 2013] | Passwords Never Clear in Text |
| [OWASP 2012] | "Why Add Salt?" |
| [Paar 2009] | Chapter 11, "Hash Functions" |
...