Passwordless History

Keep passwords out of your ZSH history

11 stars

Passwordless ZSH history

This ZSH plugin masks secrets in your ZSH history


❯ curl -H 'Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5c' https://example.com
❯ curl -u foo:bar https://example.com
❯ curl https://foo:bar@example.com
❯ AWS_SECRET_ACCESS_KEY=key aws s3 ls s3://example
❯ export DB_PASSWORD=foo
❯ history | tail
 1  curl -H 'Authorization: ...' https://example.com > /dev/null
 2  curl -u ... https://example.com > /dev/null
 3  curl https://...@example.com > /dev/null
 4  AWS_SECRET_ACCESS_KEY=... aws s3 ls s3://example
 5  export DB_PASSWORD=...

ZSH will let you recover the previous command with secrets immediately after execution:

> curl http://username:password@github.com/foo
> # <up-arrow> recovers command with password immediately after execution
> # <up-arrow> recovers masked command here

To exclude any command from history, prefix with a space. It behaves the same as above:

>  echo "prefixed with space"
> # available here on <up-arrow>
> # Not available here 

Control what secrets are catched by setting the environment variable HISTORY_EXCLUDE_PATTERN. If the pattern includes a single group, that group is substituted with .... The default HISTORY_EXCLUDE_PATTERN is

^ |//([^/]+:[^/]+)@|KEY[=:] *([^ ]+)|TOKEN[=:] *([^ ]+)|BEARER[=:] *([^ ]+)|PASSWO?R?D?[=:] *([^ ]+)|Authorization[=:] *([^'\"]+)|-us?e?r? ([^:]+:[^:]+) 

it is not case sensitive


Using Plain zsh

Download passwordless-history.plugin.zsh, then add to .zshrc

source /path/to/passwordless-history.plugin.zsh

Using Antibody

antibody bundle jgogstad/passwordless-history

Using ZInit

Add the following to .zshrc

zinit light jgogstad/passwordless-history

Using ZPlug

Add the following to .zshrc

zplug 'jgogstad/passwordless-history'


Overwrite HISTORY_EXCLUDE_PATTERN to customize:


The pattern is a regex and it's evaluated with zsh's =~ operator using case insensitive evaluation.