...
There are a few cases where you may be forced to encrypt passwords or store them as cleartext. These cases will happen when you are extending code or an application that you cannot change. For example, a password manager may need to input passwords into other programs as cleartext. Another example is if you are working with a library that gives you the password as a Java string object, causing the same vulnerability as in the second noncompliant example. In these cases your best strategy may be to use slightly vulnerable methods such as encryption, unless you can change the other code.