Is it Secure to Pass Passwords in a wget Command?

Passing passwords directly within a wget command line is highly insecure and exposes sensitive credentials to multiple security risks. While wget allows users to include usernames and passwords directly in the command string using parameters like --password or via URL embedding, this practice leaves credentials visible to other users on the system, stores them in plaintext command histories, and potentially leaks them through process monitoring tools. This article explores why this method is unsafe, where the specific vulnerabilities lie, and the best practices for securely handling authentication when downloading files.

The Risks of Using Passwords in Command Lines

When you execute a wget command with a plaintext password, the credential travels through several local systems before the network request is even made. This creates a wide attack surface for local users and malicious software.

• Process List Visibility: On Unix-like operating systems, any user can view currently running processes using commands like ps aux or top. If you run a large download, your password will be visible in plaintext to any other user logged into the system for the entire duration of the transfer.
• Shell History Logs: Standard shells (like Bash or Zsh) record executed commands into a hidden history file (e.g., ~/.bash_history). Storing passwords in these files means your credentials remain on the disk in plaintext indefinitely, available to anyone who gains local access to your user account.
• System Auditing and Logs: Many enterprise environments run continuous monitoring and auditing daemons (like auditd). These tools log command-line arguments, meaning your password could be permanently written to central system administration logs.

Secure Alternatives for wget Authentication

To avoid exposing your credentials, you should utilize wget’s built-in mechanisms designed to handle sensitive data securely.

1. Use a .netrc File

The safest way to pass credentials to wget is by using a .netrc file located in your home directory. This file stores auto-login information for various accounts and is read automatically by wget.

To set it up securely, create or edit the file ~/.netrc and add your credentials:

machine example.com
login your_username
password your_password

After creating the file, you must restrict its permissions so that only your user can read it:

chmod 600 ~/.netrc

2. Prompt for Password Interactively

If you are running the command manually, you can use the --ask-password flag. This forces wget to prompt you for the password securely after the command is launched, ensuring it never enters the process argument list or shell history.

wget --user=your_username --ask-password https://example.com/file.zip

3. Use Environment Variables safely

While passing environment variables directly in the command line can still leak info, reading a password from a secure variable or restricted file descriptor at runtime is vastly preferable to hardcoding it into the string.