We should not be putting sensitive info into Java Strings. A String is immutable and cannot be zeroed out. Its contents are visible to any code with access to the process memory, until the memory used by the string is GC'd and reused.
Passwords should be passed around in char, and zeroed as soon as they are no longer required.
I believe this applies to the classes C4Key, BasicAuthenticator and CBLWebSocket
This is an API breaking change and cannot be implemented until 3.0