I've got a service I need to query. It's faster to do it from a nice shell
script. However the server is password protected and, say you want to use
curl, you are going to type something like this in your terminal:
$ curl -u goofy:'your goat stinks' ...
…where goofy is your user name and your goat stinks is your password.
This means your nice password is going to be stored into the shell history. You probably want to clear the history afterwards. Yeah, maybe you've got an encrypted hard drive, but still you don't want to accidentally show your password while back-searching in your shell history.
You may supply just the user to curl:
$ curl -u goofy
And curl will ask you for the password.
You will need to type it in every single query you send. Which is plain boring, especially if your password is long.
How about copy-and-pasting it? The clipboard buffer is bit better, maybe. But still you get your password wiped every time you copy something different.
How about an environment variable?
$ PASS='your goat stinks'
$ clear
$ curl -u goofy:$PASS ...
$ curl -u goofy:$PASS ...
$ curl -u goofy:$PASS ...
Much better!
Of course that one is going to be recorded in your history, but just
once. After that you can simply edit your .bash_history (or
.zsh_history, ...or your history file in general) and drop the single
PASS= line.
Magic trick: with the most common shells you can avoid history for some commands.
In Bash use the HISTCONTROL environment variable. From the manual:
[...]
HISTCONTROL
A colon-separated list of values controlling how commands are
saved on the history list. If the list of values includes
ignorespace, lines which begin with a space character are not
saved in the history list. [...]
If you are using Zsh you can simply set the hist_ignore_space option
in your .zshrc.
At this point you can simply register the password once, but without
saving it in history (note the leading space in PASS)
$ PASS='your goat stinks'
$ clear
$ curl -u goofy:$PASS ...
$ curl -u goofy:$PASS ...
$ curl -u goofy:$PASS ...
It works just fine!
Of course here we don't mind about the questionable idea of keeping the password in memory, but I guess it depends on how paranoid you are. The copy-and-paste thing is just the same.