Secure Password Input in Bash

G5 Cyber Security

1 week ago

TL;DR

This guide shows you how to securely ask for a password in a Bash script without it being visible on the screen or stored in your shell history. We’ll use read -s and other techniques.

How to Securely Get Passwords in Bash

Use read -s: This is the core command. The -s option tells read to suppress echoing of input (hide it from the screen).

Step-by-Step Guide

Basic Password Prompt: Start with a simple prompt.
```
#!/bin/bash

read -s -p "Enter your password: " PASSWORD
echo # Add a newline after the input is hidden
```
This will ask for a password and store it in the PASSWORD variable. The prompt text appears, but the typed characters won’t be visible.
Clear the Screen: After getting the password, clear the screen to remove any lingering prompts or output that might reveal information.
```
#!/bin/bash

read -s -p "Enter your password: " PASSWORD
echo # Add a newline after the input is hidden
clear
```
Remove Password from History: Prevent the password from being stored in your shell history.
```
#!/bin/bash

history -d $((HISTCMD-1))
read -s -p "Enter your password: " PASSWORD
echo # Add a newline after the input is hidden
clear
```
This removes the previous command (the read command) from the history. Note that this only works if the script is run interactively.
Securely Use the Password: Now you can use the password in your script, but be careful!
```
#!/bin/bash

history -d $((HISTCMD-1))
read -s -p "Enter your password: " PASSWORD
echo # Add a newline after the input is hidden
clear

# Example: Authenticate with ssh (replace user@host)
ssh user@host <- this is just an example, do not hardcode passwords in scripts!
```
Important: Never store passwords directly in your script. This example shows how you might use the password immediately for a command, but it’s better to use key-based authentication or other secure methods.

Wipe the Variable (Optional): For extra security, wipe the PASSWORD variable after using it.

#!/bin/bash

history -d $((HISTCMD-1))
read -s -p "Enter your password: " PASSWORD
echo # Add a newline after the input is hidden
clear

# Example: Authenticate with ssh (replace user@host)
ssh user@host <- this is just an example, do not hardcode passwords in scripts!

unset PASSWORD  # Remove the variable from memory

This removes the PASSWORD variable from the environment.

Handling Errors: Consider what happens if the user doesn’t enter a password. You can check if the variable is empty.

#!/bin/bash

history -d $((HISTCMD-1))
read -s -p "Enter your password: " PASSWORD
echo # Add a newline after the input is hidden
clear

if [ -z "$PASSWORD" ]; then
echo "Password cannot be empty."
exit 1
fi

# Example: Authenticate with ssh (replace user@host)
ssh user@host <- this is just an example, do not hardcode passwords in scripts!

Important Security Notes

Never Hardcode Passwords: This is the most important rule. Do not store passwords directly in your script files.
Key-Based Authentication: Use key-based authentication whenever possible, especially for SSH.
Avoid Storing Passwords at All: If you can avoid storing passwords altogether, do so. Consider using password managers or other secure methods.
cyber security best practice: Treat passwords as highly sensitive information and protect them accordingly.