I want to avoid cleartext password on my filesystem
I encrypt my password with a secret key
echo tiger | openssl enc -aes-256-cbc -k MyKey -out $HOME/myconfig
Whenever I call a script, I pass the secret key
sqlplus scott/$(openssl enc -d -aes-256-cbc -k MyKey -in $HOME/myconfig)
Of course you still need the key {MyKey}, but unless you have both the file AND the key, it is safe
also your could obsfuscte the algorythm, so most of your colleagues will not find out what to do with the key and the file