The password protection should be destroyed in the example code in KeyStore specification. Otherwise, applications may just copy and past the code, and forget the requirement for password protection clean up.

    KeyStore.ProtectionParameter protParam =
        new KeyStore.PasswordProtection(password);
+ try {
        // get my private key
        KeyStore.PrivateKeyEntry pkEntry = (KeyStore.PrivateKeyEntry)
            ks.getEntry("privateKeyAlias", protParam);
        PrivateKey myPrivateKey = pkEntry.getPrivateKey();

        // save my secret key
        javax.crypto.SecretKey mySecretKey;
        KeyStore.SecretKeyEntry skEntry =
            new KeyStore.SecretKeyEntry(mySecretKey);
        ks.setEntry("secretKeyAlias", skEntry, protParam);

        // store away the keystore
        try (FileOutputStream fos = new FileOutputStream("newKeyStoreName")) {
            ks.store(fos, password);
        }
+ } finally {
+ protParam.destroy();
+ }