passwd(1) does not clear memory used for the the second password input. Use explicit_bzero(3) to zero the memory when we're done with it. Utilities like bioctl(8) and signify(1) already do this.
Index: local_passwd.c =================================================================== RCS file: /cvs/src/usr.bin/passwd/local_passwd.c,v retrieving revision 1.52 diff -u -p -u -r1.52 local_passwd.c --- local_passwd.c 2 Sep 2016 18:06:43 -0000 1.52 +++ local_passwd.c 28 Dec 2016 08:13:07 -0000 @@ -203,9 +203,12 @@ getnewpasswd(struct passwd *pw, login_ca continue; p = readpassphrase("Retype new password:", repeat, sizeof(repeat), RPP_ECHO_OFF); - if (p != NULL && strcmp(newpass, p) == 0) + if (p != NULL && strcmp(newpass, p) == 0) { + explicit_bzero(repeat, sizeof(repeat)); break; + } (void)printf("Mismatch; try again, EOF to quit.\n"); + explicit_bzero(repeat, sizeof(repeat)); explicit_bzero(newpass, sizeof(newpass)); }