Apparently the current implementation of perl will at least overwrite your string values in memory if you have your password in a scalar and then allocate another string value of exactly the same length to that scalar.

Indeed you can demonstrate this. As it happens in the example given the critical point for reallocation of memory seems to be 20 bytes (19 char string + \0) - equal or less than this and the same pointer/memory is used, more than this and a different one will appear from the realloc. Overwriting with the same length string is easy enough though and you can test for the existence of the desired behaviour as shown. If it changes in the future your test suite will pick it.