ESP8266HTTPUpdateServer taking only 'const char *' correctly as argument

I am a little stumped here, in trying to create a webbrowser update for my esp boards i ran into something.
When i use the 'SecureWebUpdater.ino'

/*
  To upload through terminal you can use: curl -u admin:admin -F "image=@firmware.bin" esp8266-webupdate.local/firmware
*/

#include <ESP8266WiFi.h>
#include <WiFiClient.h>
#include <ESP8266WebServer.h>
#include <ESP8266mDNS.h>
#include <ESP8266HTTPUpdateServer.h>

const char* host = "esp8266-webupdate";
const char* update_path = "/firmware";
const char* update_username = "admin";
const char* update_password = "admin";
const char* ssid = "...";
const char* password = ".......";

ESP8266WebServer httpServer(80);
ESP8266HTTPUpdateServer httpUpdater;

void setup(void) {

  Serial.begin(115200);
  Serial.println();
  Serial.println("Booting Sketch...");
  WiFi.mode(WIFI_AP_STA);
  WiFi.begin(ssid, password);

  while (WiFi.waitForConnectResult() != WL_CONNECTED) {
    WiFi.begin(ssid, password);
    Serial.println("WiFi failed, retrying.");
  }

  MDNS.begin(host);

  httpUpdater.setup(&httpServer, update_path, update_username, update_password);
  httpServer.begin();

  MDNS.addService("http", "tcp", 80);
  Serial.printf("HTTPUpdateServer ready! Open http://%s.local%s in your browser and login with username '%s' and password '%s'\n", host, update_path, update_username, update_password);
}

void loop(void) {
  httpServer.handleClient();
}

it all works perfectly and when i go to the webpage i get the requestAuthentication() and when i enter the standard credentials (eg "admin" & "admin" ) i get to the page. Great, just what i needed, except that i want to use my unit specific password, which i have implemented within the same sketch, using the same requestAuthentication() from ArduinoOTA, where it works just fine, i can create user accounts with their own password and set permissions for parts of the webpage. But somehow the moment i pass a variable (char array) to httpUpdater.setup(&httpServer, update_path, update_username, update_password); instead of the const char * it somehow doesn't accept my credentials anymore and gets stuck in this loop (from ESP8266HTTPUpdateServer-impl.h)

void ESP8266HTTPUpdateServerTemplate<ServerType>::setup(ESP8266WebServerTemplate<ServerType> *server, const String& path, const String& username, const String& password)
{
    _server = server;
    _username = username;
    _password = password;

    // handler for the /update form page
    _server->on(path.c_str(), HTTP_GET, [&](){
      if(_username != emptyString && _password != emptyString && !_server->authenticate(_username.c_str(), _password.c_str()))
        return _server->requestAuthentication();
      _server->send_P(200, PSTR("text/html"), serverIndex);
    });

Now i suspect that it is caused by the type of the argument requested (const String&) and the conversion back to c-string, but i don't know hay !?
authenticate(_username.c_str(), _password.c_str()takes char * (char arrays) which is what i am originally providing. Anybody have a clue on how to solve this riddle ?

Oh man, it took me 2 hours of looking and trying, and i post this topic, get up from my chair, take a few steps and think "Maybe it goes out of scope ?" and so i move the declaration for the char array i am passing as the argument for the password , to my global variables (rather than the local where i would normally put it) and bam ! now it does work.

Okay, just one more time and see if i can explain it a little clearer[code
const char* update_path = "/firmware";
const char* update_username = "admin";
const char* update_password = "admin";

ESP8266WebServer httpServer(80);
ESP8266HTTPUpdateServer httpUpdater;

void setup(void) {

httpUpdater.setup(&httpServer, update_path, update_username, update_password);
httpServer.begin();
MDNS.addService("http", "tcp", 80);
}

void loop(void) {
httpServer.handleClient();
}[/code]This is from the original code (that works) i can log in admin, admin. If i just dohttpUpdater.setup(&httpServer, update_path, "username", "password"); i can login (username, password.) but if i do

String password = PasswordGenarator();
char pw[password.length()+1];
password.toCharArray(pw, password.length()+1);
httpUpdater.setup(&httpServer, update_path, "username", password);

login fails, but when i globally declare char pw[7];  // i do know the length of the password, but if i would create a bigger buffer i doubt it would matter Then i can login ! What happens to the pointer ? it is the only function relating to the ArduinoOTA so far where i have this issue, what happens in this callback function

void ESP8266HTTPUpdateServer::setup(ESP8266WebServer *server, const char * path, const char * username, const char * password)
{
    _server = server;
    _username = (char *)username;
    _password = (char *)password;

    // handler for the /update form page
    _server->on(path, HTTP_GET, [&](){
      if(_username != NULL && _password != NULL && !_server->authenticate(_username, _password))
        return _server->requestAuthentication();
      _server->send_P(200, PSTR("text/html"), serverIndex);
    });

(from ESP8266HTTPUpdateServer.cpp) that make '_password' not point to the 'char pw[]' anymore ? I mean i got a fix, but what is going on ?