The purpose of clear() methods on classes like this is to zero out the array holding the password, the current implementation just sets the reference to null leaving it to the garbage collector to dispose of - this would happen anyway as soon as the PasswordValidationCallback is eligible for garbage collection,