One way to script password changes without storing the actual password in a script is to store the password hash instead. The easiest way to generate a password hash in Arch is to use OpenSSL:

openssl passwd -1 supersecret
# outputs: $1$rKdEHNXm$T0Aa6KraqcX5En5.QFUWg/

That generated password can be used as input to chpasswd so long as you pass the -e option:

echo 'root:$1$rKdEHNXm$T0Aa6KraqcX5En5.QFUWg/' | chpasswd -e

Setting multiple passwords can be done with a heredoc string; just make sure to disable parameter substitution or escape the dollar signs:

cat <<-'END' | chpasswd -e

The “$1$” at the beginning of the hashed password indicates the algorithm which in this case is MD5.

In some distributions you can use mkpasswd to specify a stronger hashing algorithm such as SHA-512. Arch doesn’t ship with mkpasswd, but you can use passwd and copy the hashed password (the second colon-delimited field) directly from /etc/shadow:

cat<<-'END' | chpasswd -e