diff --git a/Cargo.toml b/Cargo.toml
index a3fc1f5..91b26d4 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -26,6 +26,7 @@ console = "0.16.0"
 indicatif = "0.18.0"
 tabled = "0.20.0"
 colored = "3.0.0"
+zeroize = "1.7.0"
 
 [dev-dependencies]
 tempfile = "3.20.0"
diff --git a/src/cli/mod.rs b/src/cli/mod.rs
index 048c578..869cf79 100644
--- a/src/cli/mod.rs
+++ b/src/cli/mod.rs
@@ -1,5 +1,6 @@
 use crate::error::ConversionError;
 use clap::Parser;
+use crate::secure::SecurePassword;
 use std::path::Path;
 
 #[derive(Parser, Debug)]
@@ -53,9 +54,9 @@ pub struct Args {
 }
 
 impl Args {
-    /// Get the password, defaulting to empty string if none provided
-    pub fn password(&self) -> &str {
-        self.password.as_deref().unwrap_or("")
+    /// Get the password, wrapped in a secure container that zeroizes memory when dropped
+    pub fn password(&self) -> SecurePassword {
+        SecurePassword::from_option(self.password.as_deref())
     }
 
     /// Get the output directory, defaulting to current directory
diff --git a/src/lib.rs b/src/lib.rs
index be8bf13..4e5fe8b 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -29,7 +29,9 @@ pub mod converter;
 pub mod error;
 pub mod openssl;
 pub mod output;
+pub mod secure;
 
 // Re-export commonly used types
 pub use error::ConversionError;
 pub use openssl::{ParsedPfx, PemFormatter, PfxParser};
+pub use secure::SecurePassword;
diff --git a/src/openssl/parser.rs b/src/openssl/parser.rs
index 8a05e92..0aac042 100644
--- a/src/openssl/parser.rs
+++ b/src/openssl/parser.rs
@@ -1,5 +1,6 @@
 use crate::error::ConversionError;
 use crate::openssl::ParsedPfx;
+use crate::secure::SecurePassword;
 use openssl::pkcs12::Pkcs12;
 use std::ffi::OsStr;
 use std::fs;
diff --git a/src/secure.rs b/src/secure.rs
new file mode 100644
index 0000000..cde1764
--- /dev/null
+++ b/src/secure.rs
@@ -0,0 +1,58 @@
+use std::fmt;
+use std::ops::Deref;
+use zeroize::Zeroize;
+
+/// A secure password container that automatically zeroizes memory when dropped
+#[derive(Clone)]
+pub struct SecurePassword {
+    value: String,
+}
+
+impl SecurePassword {
+    /// Create a new secure password from a string
+    pub fn new<S: AsRef<str>>(value: S) -> Self {
+        Self {
+            value: value.as_ref().to_string(),
+        }
+    }
+
+    /// Create a new secure password from an optional string
+    /// Returns a secure password with an empty string if None is provided
+    pub fn from_option<S: AsRef<str>>(value: Option<S>) -> Self {
+        match value {
+            Some(s) => Self::new(s),
+            None => Self::new(""),
+        }
+    }
+    
+    /// Borrow the password as a string slice
+    pub fn as_str(&self) -> &str {
+        &self.value
+    }
+
+    /// Check if the password is empty
+    pub fn is_empty(&self) -> bool {
+        self.value.is_empty()
+    }
+}
+
+impl Deref for SecurePassword {
+    type Target = str;
+
+    fn deref(&self) -> &Self::Target {
+        &self.value
+    }
+}
+
+impl Drop for SecurePassword {
+    fn drop(&mut self) {
+        self.value.zeroize();
+    }
+}
+
+// Prevent accidentally displaying the password in logs or debug output
+impl fmt::Display for SecurePassword {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        write!(f, "[REDACTED]")
+    }
+}
\ No newline at end of file