Some tools require passwords to be entered as commandline arguments. Which is great if you're using the tool in a script, but when calling the tool from the commandline this will result in having the password exposed in the bash history. This might not be a big issue in some cases, but I just can't stand having password shown in plaintext anywhere. (Expect maybe the occasional temporary, random, auto generated passwords in e-mail when registering for websites.)
Meimi039 suggested to Hak5 to use a setting so any command starting with a space won't show up in the history. Eventhough I don't want my passwords in the history, I do like to have my commands in my history file.
So here are my solutions to prevent passwords from being exposed in bash history or in scripts.
When invoking commands that require passwords on the command line I use variables.
Let's say "tool" requires a parameter "-p <PASSWORD>". I've used the following method for a few years:
$ read -s PASSWhen done using the $PASS variable, I'd unset it
$ tool -p $PASS
$ unset PASSThis method I use in scripts is derived from this.
After watching the video on Hak5 I was thinking about how to make this password usage require less typing. Here's my solution.
In my .bashrc I've included a new alias passpr (from 'password prompt')
alias passpr='read -p "Password: " -s pass; echo $pass; unset $pass'Now I can call the example "tool" like this
$ tool -p `passpr`Script
In scripts I prefer to use a method derived from the first example of safely using passwords on the commandline.
An script could for example look like this
#!/usr/bin/bashFinally I'd like to mention that Hak5 has collected a few tips on how to remove passwords from the history when they have accidentally been entered on the commandline in their video.
read -s -p "Password for tool: " PASS
tool -p $PASS