On
Just following up on this question a little. 02Anant pretty much has the guts of your question addressed.
Since the VMWare API is available in powershell, C#, Java and Python your exact implementation is going to be specific to the API language platform you use. I'm mostly familiar with writing VCS integration using vRA forms for input, vCO workflows and Java plugin code for the encryption, storage and heavy lifting.
If you are insistant on using the CLI then the VAPI samples are written to be used that way and can provide a great resource. If you want to take in a password then envoke a script that prompts for the password (or username and password) without echoing and then perfoms your actions so you can mask what password is typed from peering eyes.
You will be correct in masking the password in any UI you provide, encrypt the password if putting into storage and only decrypt the password at the point you send credentials across the wire. The API provides SSO connection to vCenter and therefore after authentication you will be using a token for the procedure calls.
Since vmrun is command-line utility for VIX API, it requires plain text password. And your password will be visible on Console Application.
If you can use VixCOM you can protect the passwords before calling the operation. I have used this library in C# https://github.com/dblock/vmwaretasks and used 3DES to protect my passwords before calling individual operation.
One should try to avoid passing clear password and only decrypt it close to operation which requires it.