When studying Java I learned that Strings were not safe for storing passwords, since you can’t manually clear the memory associated with them (you can’t be sure they will eventually be gc’ed, interned strings may never be, and even after gc you can’t be sure the physical memory contents were really wiped). Instead, I were to use char arrays, so I can zero-out them after use. I’ve tried to search for similar practices in other languages and platforms, but so far I couldn’t find the relevant info (usually all I see are code examples of passwords stored in strings with no mention of any security issue).

I’m particularly interested in the situation with browsers. I use jQuery a lot, and my usual approach is just the set the value of a password field to an empty string and forget about it:

$(myPasswordField).val("");

But I’m not 100% convinced it is enough. I also have no idea whether or not the strings used for intermediate access are safe (for instance, when I use $.ajax to send the password to the server). As for other languages, usually I see no mention of this issue (another language I’m interested in particular is Python).

I know questions attempting to build lists are controversial, but since this deals with a common security issue that is largely overlooked, IMHO it’s worth it. If I’m mistaken, I’d be happy to know just from JavaScript (in browsers) and Python then. I was also unsure whether to ask here, at security.SE or at programmers.SE, but since it involves the actual code to safely perform the task (not a conceptual question) I believe this site is the best option.

Note: in low-level languages, or languages that unambiguously support characters as primitive types, the answer should be obvious (Edit: not really obvious, as @Gabe showed in his answer below). I’m asking for those high level languages in which “everything is an object” or something like that, and also for those that perform automatic string interning behind the scenes (so you may create a security hole without realizing it, even if you’re reasonably careful).

Update: according to an answer in a related question, even using char[] in Java is not guaranteed to be bulletproof (or .NET SecureString, for that matter), since the gc might move the array around so its contents might stick in the memory even after clearing (SecureString at least sticks in the same RAM address, guaranteeing clearing, but its consumers/producers might still leave traces).

I guess @NiklasB. is right, even though the vulnerability exists, the likelyhood of an exploit is low and the difficulty to prevent it is high, that might be the reason this issue is mostly ignored. I wish I could find at least some reference of this problem concerning browsers, but googling for it has been fruitless so far (does this scenario at least have a name?).