February 4, 2026
Pipes, passwords, and petty drama
I prefer to pass secrets between programs through standard input
Pass your password through a “tube”? Devs split into Team Pipe vs Team Vault
TLDR: A Unix pro says: pass passwords through standard input to avoid leaks from command lines and environments. Commenters split between praising the simplicity, warning about snooping risks, and pushing alternatives like Kubernetes secrets and Linux keyrings—plus a side rant about the site’s “closed web” blockers.
A veteran Unix admin says the safest way to hand a password from one program to another is the old-school way: whisper it through standard input, like sliding a note under a door. No command-line flags, no environment variables—just a direct handoff that’s worked “for years,” even over SSH. He warns to avoid exporting secrets, watch out for weird characters (base64 to the rescue), and keep a tiny “protocol” so both sides agree what’s being sent. It’s a little janky, he admits, but it gets the job done.
Then the comments blew up. One reader blasted the site’s anti-crawler settings—“Nice closed web you’ve got there”—turning a secrets thread into a browser-politics smackdown. Security hawks asked if another process could snoop via “/proc,” while a practitioner shot back that intercepting stdin isn’t trivial. Meanwhile, the ops crowd rolled in: some championed Kubernetes and Docker secret mounts (“permissions, people!”), others flexed Kerberos + macOS Keychain for seamless logins, and Linux veterans dropped the keyctl gospel. The vibe? Team Pipe vs Team Mount vs Team Keyring, with memes about “whispering to your programs” and jokes that pipes are just “text DMs for apps.” It’s scrappy, it’s practical, and it’s peak Unix drama.
Key Points
- •Passing secrets via standard input/output avoids exposure in process listings and environment variables.
- •In Bourne shell, avoid exporting secret variables; use built-in 'echo' but be cautious with non-built-in commands like 'printf'.
- •Encode secrets (e.g., base64) and define a minimal protocol for multiple values, including order and delimiters.
- •Secrets can be piped across machines using SSH (e.g., 'provide-secret | ssh remote consume-secret').
- •Programs expecting files can receive secrets via Bash process substitution or /dev/fd; approach is proven in practice, with specialized Linux options for static secrets and D-Bus as a possible formal solution for dynamic ones.