A "not too difficult" way is to use ROT13:

PASSWORD=cnffjbeq
REAL_PASSWORD=`echo $PASSWORD | rot13`

If you don't have a rot13 program, using tr a-z n-za-m works just as well.

Keep in mind that this provides absolutely no security whatsoever. However, it may be sufficient for your "casual viewing" purposes.

You could use uuencode and uudecode, which are often installed (and always easily available via packages) on Unix systems. Since the encoding will be meaningless it might prevent an observer from easily memorizing the password, i.e., stealing the password via shoulder-surfing. But a well-chosen random clear-text password would accomplish about the same thing without the false illusion of security.

This exact problem is faced by everyone in DevOps these days as automated configuration management becomes more and more necessary.

Here are some better solutions:

• have a secrets file on the system your script runs on. The script can read its secret at runtime out of the file. This way you can check the script in to source-code control without broadcasting the password, and you can use user permissions to protect the secrets file. You can reuse the script without propagating a password.

• use no-passphrase ssh public key authentication to get to the remote system

• use a combination of the above approaches with a role-restricted user. I usually create a user on the target system that can't do anything except what the script wants to do. Modern versions of ssh help with this, as they can ignore the incoming command (see forcecommand in sshd_config or use something like ssh-forcecommand) and just always do a specific thing.

• authenticate the management agent client via a server-signed certificate. Real configuration-management systems like Puppet and Chef will do this for you.

• if you are connecting to a web page, you may still be able to create a role-restricted user or at least one that's expendable. Perhaps you could log in by hand once and establish a persistent session. Curl can use cookies and cooperate with this approach.

What you're asking for is not only evil -- it simply won't work.

All a user has to do to see your password is to run bash -x your_script and the output will include

+program '--pass=decrypted-password-here'

...no matter how effective the obfuscation might have been.

What's the actual program you're trying to call that needs a password? Can you hide your password behind a setuid wrapper, such that the wrapper can read the password file even if the user who runs it can't? Can you (borrowing DigitalRoss's suggestion) set up a user account which has a copy of the stored password (or, better, a certificate or keypair), configure it only to be able to run your script and nothing else over SSH, and give the users who should be able to run the script permissions to SSH as that user (or sudo to that user for only the single command, or so forth)?

Etc.

In short: Aim for real security, not obfuscation.

Now, if you did want obfuscation -- the traditional approach is ROT-16:

obfuscated_password="qrpelcgrq-cnffjbeq-urer"
real_password="$(tr a-zA-Z n-za-mN-ZA-M <<<"$obfuscated_password")"

...but if it's a password you actually care about whatsoever, don't obfuscate -- use one of the approaches given above to avoid storing a password in a user-readable manner at all.

Putting the key under the door mat isn't security. But the fact that 'program' needs to take --pass ..... means anyone doing 'ps -ef' can see it. If 'program' has a form that can read the password from a pipe, then you should use it instead. e.g. program --pass=- ... < /home/me/.something and make the file only readable to you.