Secure Password Input in Bash

TL;DR

This guide shows you how to securely ask for a password in a Bash script without it being visible on the screen or stored in your shell history. We’ll use read -s and other techniques.

How to Securely Get Passwords in Bash

1. Use read -s: This is the core command. The -s option tells read to suppress echoing of input (hide it from the screen).

Step-by-Step Guide

1. Basic Password Prompt: Start with a simple prompt.

   #!/bin/bash
   
   read -s -p "Enter your password: " PASSWORD
   echo # Add a newline after the input is hidden
   

   This will ask for a password and store it in the PASSWORD variable. The prompt text appears, but the typed characters won’t be visible.

2. Clear the Screen: After getting the password, clear the screen to remove any lingering prompts or output that might reveal information.

   #!/bin/bash
   
   read -s -p "Enter your password: " PASSWORD
   echo # Add a newline after the input is hidden
   clear
   

3. Remove Password from History: Prevent the password from being stored in your shell history.

   #!/bin/bash
   
   history -d $((HISTCMD-1))
   read -s -p "Enter your password: " PASSWORD
   echo # Add a newline after the input is hidden
   clear
   

   This removes the previous command (the read command) from the history. Note that this only works if the script is run interactively.

4. Securely Use the Password: Now you can use the password in your script, but be careful!

   #!/bin/bash
   
   history -d $((HISTCMD-1))
   read -s -p "Enter your password: " PASSWORD
   echo # Add a newline after the input is hidden
   clear
   
   # Example: Authenticate with ssh (replace user@host)
   ssh user@host <- this is just an example, do not hardcode passwords in scripts!
   

   Important: Never store passwords directly in your script. This example shows how you might use the password immediately for a command, but it’s better to use key-based authentication or other secure methods.

5. Wipe the Variable (Optional): For extra security, wipe the PASSWORD variable after using it.

   #!/bin/bash
   
   history -d $((HISTCMD-1))
   read -s -p "Enter your password: " PASSWORD
   echo # Add a newline after the input is hidden
   clear
   
   # Example: Authenticate with ssh (replace user@host)
   ssh user@host <- this is just an example, do not hardcode passwords in scripts!
   
   unset PASSWORD  # Remove the variable from memory
   

   This removes the PASSWORD variable from the environment.

6. Handling Errors: Consider what happens if the user doesn’t enter a password. You can check if the variable is empty.

   #!/bin/bash
   
   history -d $((HISTCMD-1))
   read -s -p "Enter your password: " PASSWORD
   echo # Add a newline after the input is hidden
   clear
   
   if [ -z "$PASSWORD" ]; then
   echo "Password cannot be empty."
   exit 1
   fi
   
   # Example: Authenticate with ssh (replace user@host)
   ssh user@host <- this is just an example, do not hardcode passwords in scripts!
   

Important Security Notes

• Never Hardcode Passwords: This is the most important rule. Do not store passwords directly in your script files.
• Key-Based Authentication: Use key-based authentication whenever possible, especially for SSH.
• Avoid Storing Passwords at All: If you can avoid storing passwords altogether, do so. Consider using password managers or other secure methods.
• cyber security best practice: Treat passwords as highly sensitive information and protect them accordingly.