[mdaniel]

> In a non-GC language you’d be able to see explicitly what is going in and out of memory, but with GC the runtime is doing that for you.

I hear you about the GC's calls to free, but if one is concerned about leaking key material, there's an existing pattern for that, no GC nonsense required: use a (byte|char) array and then zero it after use: https://docs.oracle.com/en/java/javase/11/docs/api/java.base...

It runs the same risk as does any general purpose computing in that your process can crash or some attacker can be on the machine sniffing all the things, but it's certainly better than `password = new String("hunter22") // good luck`

I also grant you that managing the key material must be disciplined across the whole lifecycle of that material, so `char[] password = readString().toCharArray()` doesn't help