Why is char preferred over String for passwords?
Since Strings are immutable there is no way contents of Strings can be changed because any change will produce new String. Once you create a String object and later decide to change the password , there is no way you can empty out the string. You can only make the string eligible for garbage collection . Since String are used in String pool for reusability there is pretty high chance that it will remain in memory for long duration, which pose a security threat .
With an char , you can explicitly wipe the data after you're done with it. You can overwrite the array with anything you like, and the password won't be present anywhere in the system, even before garbage collection .
Java itself recommends using getPassword() method of JPasswordField which returns a char and deprecated getText() method which returns password in clear text stating security reason. Its good to follow advice from Java team and adhering to standard rather than going against it.
Why String is immutable in Java ?
The term Mutable means "can change" and Immutable means "cannot change" . An Immutable Object means that the state of the Object cannot change after its creation. Here the String is immutable means that you cannot change the object itself, but you can change the reference to the object.
More about.... String Immutable in Java