TL;DR

Reading a password is easy from the shell, although I’m not sure how secure it is.

The basic solution with bash would be to use the -s option, e.g.:

read -s password

The option turns down echoing on the terminal. I’m still not entirely sure about the security of having it in memory though.

Alas, option -s is missing In POSIX-compliant shells. There’s a solution, though, explained in this answer:

read_password() {
  REPLY="$(
    # always read from the tty even when redirected:
    exec < /dev/tty || exit # || exit only needed for bash

    # save current tty settings:
    tty_settings=$(stty -g) || exit

    # schedule restore of the settings on exit of that subshell
    # or on receiving SIGINT or SIGTERM:
    trap 'stty "$tty_settings"' EXIT INT TERM

    # disable terminal local echo
    stty -echo || exit

    # prompt on tty
    printf "Password: " > /dev/tty

    # read password as one line, record exit status
    IFS= read -r password; ret=$?

    # display a newline to visually acknowledge the entered password
    echo > /dev/tty

    # return the password for $REPLY
    printf '%s\n' "$password"
    exit "$ret"
  )"
}

Thanks, Stéphane Chazelas!