diff --git a/snc.sh b/snc.sh
index a10156a1..fddac060 100755
--- a/snc.sh
+++ b/snc.sh
@@ -280,7 +280,14 @@ FROM scratch
 RUN ln -sf var/Users /Users && mkdir /var/Users
 EOF
 podman build --from ${RHCOS_IMAGE} --authfile ${OPENSHIFT_PULL_SECRET_PATH} -t default-route-openshift-image-registry.apps-crc.testing/openshift-machine-config-operator/rhcos:latest --file ${INSTALL_DIR}/Containerfile .
-retry ${OC} login -u kubeadmin -p $(cat ${INSTALL_DIR}/auth/kubeadmin-password) --insecure-skip-tls-verify=true api.${SNC_PRODUCT_NAME}.${BASE_DOMAIN}:6443
+(
+    set +x # disable the logging in the subshell to prevent the password leakage
+    kubeadmin_pass=$(cat ${INSTALL_DIR}/auth/kubeadmin-password)
+    retry ${OC} login -u kubeadmin -p "$kubeadmin_pass" --insecure-skip-tls-verify=true api.${SNC_PRODUCT_NAME}.${BASE_DOMAIN}:6443
+    rm -f ${INSTALL_DIR}/auth/kubeadmin-password
+    esc_pw="$(printf '%s' "$kubeadmin_pass" | sed -e 's/[\/&|\\]/\\&/g')"
+    sed -i "s|$esc_pw|REDACTED|g" "${INSTALL_DIR}/.openshift_install.log"
+)
 retry ${OC} registry login -a ${INSTALL_DIR}/reg.json
 retry podman push --authfile ${INSTALL_DIR}/reg.json --tls-verify=false default-route-openshift-image-registry.apps-crc.testing/openshift-machine-config-operator/rhcos:latest
 cat << EOF > ${INSTALL_DIR}/custom-os-mc.yaml
diff --git a/systemd/crc-cluster-status.sh b/systemd/crc-cluster-status.sh
index 9240cac7..a6258643 100644
--- a/systemd/crc-cluster-status.sh
+++ b/systemd/crc-cluster-status.sh
@@ -1,5 +1,9 @@
 #!/bin/bash
 
+set -o pipefail
+set -o errexit
+set -o nounset
+set -o errtrace
 set -x
 
 export KUBECONFIG=/opt/kubeconfig
@@ -9,19 +13,19 @@ if [ ! -f /opt/crc/pass_kubeadmin ]; then
     exit 1
 fi
 
-PASS_KUBEADMIN="$(cat /opt/crc/pass_kubeadmin)"
-
 rm -rf /tmp/.crc-cluster-ready
 
 if ! oc adm wait-for-stable-cluster --minimum-stable-period=1m --timeout=10m; then
     exit 1
 fi
 
-set +x
+
 echo "Logging into OpenShift with kubeadmin user to update $KUBECONFIG"
 COUNTER=1
 MAXIMUM_LOGIN_RETRY=10
-until oc login --insecure-skip-tls-verify=true -u kubeadmin -p "$PASS_KUBEADMIN" https://api.crc.testing:6443 > /dev/null 2>&1; do
+
+# use a `(set +x)` subshell to avoid leaking the password
+until (set +x ; oc login --insecure-skip-tls-verify=true -u kubeadmin -p "$(cat /opt/crc/pass_kubeadmin)" https://api.crc.testing:6443 > /dev/null 2>&1); do
     if [ "$COUNTER" -ge "$MAXIMUM_LOGIN_RETRY" ]; then
         echo "Unable to login to the cluster..., authentication failed."
         exit 1
@@ -33,4 +37,3 @@ done
 
 # need to set a marker to let `crc` know the cluster is ready
 touch /tmp/.crc-cluster-ready
-
diff --git a/systemd/crc-pullsecret.sh b/systemd/crc-pullsecret.sh
index d43bd0a2..895a5480 100644
--- a/systemd/crc-pullsecret.sh
+++ b/systemd/crc-pullsecret.sh
@@ -1,5 +1,9 @@
 #!/bin/bash
 
+set -o pipefail
+set -o errexit
+set -o nounset
+set -o errtrace
 set -x
 
 source /usr/local/bin/crc-systemd-common.sh
@@ -7,14 +11,22 @@ export KUBECONFIG="/opt/kubeconfig"
 
 wait_for_resource secret
 
+set +x # disable the logging to avoid leaking the pull secrets
+
 # check if existing pull-secret is valid if not add the one from /opt/crc/pull-secret
 existingPsB64=$(oc get secret pull-secret -n openshift-config -o jsonpath="{['data']['\.dockerconfigjson']}")
 existingPs=$(echo "${existingPsB64}" | base64 -d)
 
-echo "${existingPs}" | jq -e '.auths'
-
-if [[ $? != 0 ]]; then
-    pullSecretB64=$(base64 -w0 < /opt/crc/pull-secret)
-    oc patch secret pull-secret -n openshift-config --type merge -p "{\"data\":{\".dockerconfigjson\":\"${pullSecretB64}\"}}"
+# check if the .auths field is there
+if echo "${existingPs}" | jq -e 'has("auths")' >/dev/null 2>&1; then
+    echo "Cluster already has the pull secrets, nothing to do"
+    exit 0
 fi
 
+echo "Cluster doesn't have the pull secrets. Setting them from /opt/crc/pull-secret ..."
+pullSecretB64=$(base64 -w0 < /opt/crc/pull-secret)
+# Create the JSON patch in memory and pipe it to the oc command
+printf '{"data":{".dockerconfigjson": "%s"}}' "${pullSecretB64}" | \
+    oc patch secret pull-secret -n openshift-config --type merge --patch-file=/dev/stdin
+
+exit 0
diff --git a/systemd/ocp-userpasswords.sh b/systemd/ocp-userpasswords.sh
index c42170d8..f2a6d2a0 100644
--- a/systemd/ocp-userpasswords.sh
+++ b/systemd/ocp-userpasswords.sh
@@ -1,14 +1,21 @@
 #!/bin/bash
 
+set -o pipefail
+set -o errexit
+set -o nounset
+set -o errtrace
 set -x
 
 source /usr/local/bin/crc-systemd-common.sh
 export KUBECONFIG="/opt/kubeconfig"
 
 function gen_htpasswd() {
-    if [ ! -z "${1}" ] && [ ! -z "${2}" ]; then
-        podman run --rm -ti xmartlabs/htpasswd $1 $2 >> /tmp/htpasswd.txt
+    if [ -z "${1:-}" ] || [ -z "${2:-}" ]; then
+        echo "gen_htpasswd needs two arguments: username password" 1>&2
+        return 1
     fi
+
+    podman run --rm docker.io/xmartlabs/htpasswd "$1" "$2"
 }
 
 wait_for_resource secret
@@ -19,20 +26,24 @@ if [ ! -f /opt/crc/pass_developer ]; then
 fi
 
 if [ ! -f /opt/crc/pass_kubeadmin ]; then
-    echo "developer password does not exist"
+    echo "kubeadmin password does not exist"
     exit 1
 fi
 
-PASS_DEVELOPER=$(cat /opt/crc/pass_developer)
-PASS_KUBEADMIN=$(cat /opt/crc/pass_kubeadmin)
+echo "generating the kubeadmin and developer passwords ..."
 
-rm -f /tmp/htpasswd.txt
-gen_htpasswd developer "${PASS_DEVELOPER}"
-gen_htpasswd kubeadmin "${PASS_KUBEADMIN}"
+set +x # /!\ disable the logging to avoid leaking the passwords
 
-if [ -f /tmp/htpasswd.txt ]; then
-    sed -i '/^\s*$/d' /tmp/htpasswd.txt
+dev_pass=$(gen_htpasswd developer "$(cat /opt/crc/pass_developer)")
+adm_pass=$(gen_htpasswd kubeadmin "$(cat /opt/crc/pass_kubeadmin)")
 
-    oc create secret generic htpass-secret  --from-file=htpasswd=/tmp/htpasswd.txt -n openshift-config --dry-run=client -o yaml > /tmp/htpass-secret.yaml
-    oc replace -f /tmp/htpass-secret.yaml
-fi
+echo "creating the password secret ..."
+# use bash <() to use a temporary fd file
+# use sed to remove the empty lines
+oc create secret generic htpass-secret  \
+   --from-file=htpasswd=<(printf '%s\n%s\n' "$dev_pass" "$adm_pass") \
+   -n openshift-config \
+   --dry-run=client -oyaml \
+    | oc apply -f-
+
+echo "all done"
diff --git a/tools.sh b/tools.sh
index f6d610bb..3b3d98a5 100755
--- a/tools.sh
+++ b/tools.sh
@@ -219,7 +219,10 @@ function create_vm {
 function generate_htpasswd_file {
    local auth_file_dir=$1
    local pass_file=$2
-   random_password=$(cat $1/auth/kubeadmin-password)
-   ${HTPASSWD} -c -B -b ${pass_file} developer developer
-   ${HTPASSWD} -B -b ${pass_file} kubeadmin ${random_password}
+   (
+       set +x # use a subshell to avoid leaking the password
+       local random_password=$(cat $1/auth/kubeadmin-password)
+       ${HTPASSWD} -c -B -i "${pass_file}" developer <<<"developer"
+       ${HTPASSWD} -B -i "${pass_file}" kubeadmin <<<"${random_password}"
+   )
 }