I’ve been seeing way too many guides, demos, and videos that do something like this in the terminal:

some-utility login my_username 'my_password'

On the surface this might seem fine so long as no one is Shoulder Surfing while it’s visible but in reality this is really, really bad.

My shell right now is Zsh and one of the files that it creates is ~/.zsh_history. If we take a look at the most recent entry in that file we see:

: 1703298464:0;some-utility login my_username 'my_password'

Uh oh… Our super secret and secure password is now not so secret.

Well who’s going to look at that file anyway? Should be fine right?

WRONG!

This file (and ones created by any other shells on your system) are an easy target for anyone that gets onto your system. It’s not a huge file so you can easily search through it in under a second or exfiltrate them for later analysis.

So how am I supposed to deal with passwords you wonder? It’s pretty easy.

read -s MY_PASSWORD
some-utility login my_username "${MY_PASSWORD}"

read -s will prompt the your for a value and hide it from any shoulder surfer and it stores the value in the MY_PASSWORD environment variable which you can then use wherever you need it.

If we check our history file this is what we see:

: 1703299903:0;read -s MY_PASSWORD
: 1703299916:0;some-utility login my_username "${MY_PASSWORD}"

No passwords are leaked and no one around you can see anything. Easy AND secure.