diff --git a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactory.java b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactory.java
index 2d43600f318..c346f0b7c2e 100644
--- a/plugin/src/main/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactory.java
+++ b/plugin/src/main/java/org/elasticsearch/xpack/security/authc/ldap/LdapUserSearchSessionFactory.java
@@ -171,11 +171,14 @@ class LdapUserSearchSessionFactory extends SessionFactory {
                 listener.onResponse(null);
             } else {
                 final String dn = entry.getDN();
+                final byte[] passwordBytes = CharArrays.toUtf8Bytes(password.internalChars());
                 try {
-                    LdapUtils.privilegedConnect(() -> connectionPool.bindAndRevertAuthentication(dn, new String(password.internalChars())));
+                    LdapUtils.privilegedConnect(() -> connectionPool.bindAndRevertAuthentication(new SimpleBindRequest(dn, passwordBytes)));
                     listener.onResponse(new LdapSession(logger, connectionPool, dn, groupResolver, timeout, entry.getAttributes()));
                 } catch (LDAPException e) {
                     listener.onFailure(e);
+                } finally {
+                    Arrays.fill(passwordBytes, (byte) 0);
                 }
             }
         }, listener::onFailure));