You Asked
Can you recommend best practices for keeping passwords hidden in command lines for impdp/expdp, shell scripts etc.?
and we said...
Francois - the best way (if you can do it) is to not use a password at all - use an OPS$ (os authenticated) account to run the script. If you need to run it remotely, then within the Oracle technology stack we use Secure External Password Store (SEPS) for this purpose.
https://www.oracle.com/technetwork/database/security/twp-db-security-secure-ext-pwd-stor-133399.pdf Outside of our own technology, I've seen many customers using CyberArk's APIs to insert credential information into scripts and applications.
Is this answer out of date? If it is, please let us know via a Comment