...
Even if an attacker knows that the program stores passwords using SHA-1 and a 12-byte salt, they will be unable to get the value of the password from password.bin and salt.bin. While this fixes the decryption problem from the previous noncompliant code example, at runtime this code may inadvertently store the passwords as cleartext. This is because the pass arguments may not be cleared from memory by the Java garbage collector. See MSC10-J. Limit the lifetime of sensitive data for more information.
...