Best practices for holding passwords in shell / Perl scripts?

Best practice, IMHO, would be to NOT hold any passwords in a shell / Perl script. That is what public key authentication is for.

If the script is running remotely from the server.

1. Make your reports views
2. Give the user you are logging into ONLY access to select on the report views
3. Just store the password.

That way, all that the user can do, is select the data for its report. Even if someone happened to get the password, they would be limited as to what they could do with it.

Personally I hold passwords in configuration files which are then distributed independently of the application, and can be changed to the specific machine/environment. In shell scripts you can source these within the main script.

However, in Perl there are a variety of approaches. You may wish to investigate Getopt::Long for command line options (and additionally Getopt::ArgvFile to store those in a simple configuration file), or look at something like Config::IniFiles for something with a little more power behind it. These are the two types I generally use, but there are other configuration file modules available.