okay so we we have the mongodump tool, it has --password option. Everything works great except this plain password is visible in ps output to everybody.

our database has plain user/password authentication.

The only thing that I found to work is doing like this

echo secretpwd |  mongodump --username backup --oplog

no trace of password in ps and still working.

Is there any better way?

From the docs:

Changed in version 3.0.2: If you wish mongodump to prompt the user for the password, pass the --username option without --password or specify an empty string as the --password value, as in --password "" .

Seems like what you are doing is the recommended way.

Also, this can help further:

If the secret doesn't change between executions, use a special configuration file, ".appsecrets". Set the permissions of the file to be read-only by owner. Inside the file set an environment variable to the secret. The file needs to be in the home directory of the user running the command.

Old post, but it looks like recent versions of mongodump do explicitly support reading the password from standard in. I didn't see anything about it in the documentation, but when I use a similar command to the one in the OP, mongodump generates output like:

reading password from standard input

I'm not sure if it's any better than using echo like in the OP, but I store the password in a file and then use it like this: mongodb --username backup < /path/to/password.txt