TAsk TAsk - 2 months ago 5x
Java Question

Why PasswordField use String instead of char[] in Vaadin?

String is vulnerable for password values. I noticed that Vaadin

manipulates password as a

Following is default constructor of

public PasswordField() {

My questions :

  • Is it safe to use
    in Vaadin ?

  • What internal API does to assure the safety of the password ?


I did a few research on why Vaadin use String instead of char[] in PasswordField but I found nothing.

Although I did found that the security over PasswordField is inexistent, in specific on Vaadin Docs I come across of this:

You should note that the PasswordField hides the input only from "over the shoulder" visual observation. Unless the server connection is encrypted with a secure connection, such as HTTPS, the input is transmitted in clear text and may be intercepted by anyone with low-level access to the network. Also phishing attacks that intercept the input in the browser may be possible by exploiting JavaScript execution security holes in the browser.

To sum up the security and management of the password is completely up to you. My personal suggestion is to override PasswordField and make it work with char[].

For additional information read also Morfic's answer.