Clearing the password gives no guaranty that its memory is wiped since when you clean the password you just assign new string to it. The old string may or may not get released depending on if anyone is holding reference to it or not but even if it is released from memory then it is not wiped clean until you happen to use that same memory again.
This is what I meant with my question mark earlier. Think it can be a tough job to guarantee the same memory location gets reused by the Xojo application.
We used to be able to clear strings via plugin, but that only works for non-constant strings.
You can try to reuse memory quickly by creating a 1000 new strings and stuff them in an array.
Than free array.
in the Virtual world of today (Virtual Machines, Containers, etc), it is next to impossible to detect when a host memory is being scanned or dumped.