I am playing around with MongoDB on my localhost and when using ps aux | grep, I got this
ubuntu 26701 0.2 0.6 96011 27851 pts/3 Sl+ 11:14 0:00 mongo -u mongouser -p xxxxxxxx -authenticationDatabase tmpdb
the xxxxxxxx part is not censored by me, I invoked mongo client with password from command line. How does ps know it's sensitive info?
ps does not know that this is a password, so it can't "censor" it. The mongo client, on the other hand, knows this and rewrites its command string so that people can't look at it with ps.
Note that there is a brief (very brief) instance between launching mongo and mongo rewriting its command line string. In this brief moment, the output from ps would include the password.
The password is also stored in your shell's command line history file.
