Square's encryption service fails to reliably secure passwords

Kinda ironic, don't you think?

It is a common Java development pattern to handle passwords and related secrets with String objects.  Unfortunately, String objects can not be reliably secured.  As a result, once a String, the String will continue to exist for the life of the JVM (until the next garbage collection *cross fingers*) or as long as the JVM's footprint may exist in the machine's swap space.  

It is easy to forget about this common, insecure Java programming pattern.  Thankfully, I was watching Square's open source projects.  Square's team was able to correct's their encryption service's usage of this pattern.  More importantly, they were able to correct it in a timely fashion.  Many kudos to their Vuln. Mgt., AppSec, and Development teams.  

For the Java coder in you, the changelist may be found @ https://github.com/square/keywhiz/commit/047e294e51026333bc15ccbfc44131249c9531bb