If you have a case where you can collect a password from a user at each use, I think there is some API for checking (e.g. one-way-hash) that the password matches the one previously saved, without ever exposing the plaintext password to your script.