When working from the terminal you sometimes need to provide your password, and typing it in clear text is a bad habit. This post shows how to fetch it from the macOS Keychain instead.
Why is it bad to type your password in the terminal?
Typing your password in the terminal is discouraged because:
- It is stored in the terminal history in cleartext.
- If you share your screen with someone while typing, they can see it too.
- It’s a repetitive task and therefore error-prone and annoying.
Adding your password to the macOS Keychain
First, you need to add that password to the macOS Keychain. Open the Keychain Access application and create a new password item (File > New Password Item…). As an example, we will add a password for “https://example.com". Under “Keychain Item Name” type https://example.com (note the https://), and under "Account Name" type your user name (e.g. "alice"). Fill in the password and save the item.
Fetching the password from macOS Keychain
We are going to use the security command-line tool which is provided with macOS. Let's assume you need to provide the password as an environment variable called FOO_PASSWORD, use this:
export FOO_PASSWORD=$(security find-internet-password -a alice -s example.com -w)Prompting for the password
Sometimes you might prefer to be required to actually type your password every time. For example, when you run a command to destroy a resource you might actually want to be prompted, to make sure you don’t run the command by mistake. In that case, you can use the read command. For example, in Bash:
read -se FOO_PASSWORDYou will first be prompted to enter your password (which will be hidden) and then it will be exported to the environment variable FOO_PASSWORD.
