Create a Password class to limit leakage of password characters (as compared to char[] or String). Store the chars obfuscated in memory and use OS support for locking page in memory. The Password class should also have end-to-end support (i.e. from input via Swing/Console to password use in KeyStore/JAAS/etc).

Passwords currently represented as String or char[] have a number of issues:
Strings are immutable and can not be cleared. char[] is better, but doesn't a) ensure that no unnecessary copies are created (b) all copies of the password are destroyed after use and (c) prevent password memory from getting swapped to disk, or written to core files.