Comment 14 for bug 504423

I would argue that exposing the password in an environment variable is almost as bad as in the command line ("it's safe on most platforms" is not good enough).

I cannot suggest a solution that would work well for all backends... It might be useful to have a separate method to provide the password by giving duplicity the filename that contains it. E.g. via a different environment variable, or via a command-line option ("duplicity --pwdfile=/etc/backuppwd ..."). However this won't help if the backend is a separate executable and has to have the password in the command line or environment variable - it will still be exposed via /proc. For builtin backends, this looks like a decently good solution.