One way to script password changes without storing the actual password in a script is to store the password hash instead. The easiest way to generate a password hash in Arch is to use OpenSSL:

openssl passwd -1 supersecret
# outputs: $1$rKdEHNXm$T0Aa6KraqcX5En5.QFUWg/

That generated password can be used as input to chpasswd so long as you pass the -e option:

echo 'root:$1$rKdEHNXm$T0Aa6KraqcX5En5.QFUWg/' | chpasswd -e

Setting multiple passwords can be done with a heredoc string; just make sure to disable parameter substitution or escape the dollar signs:

cat <<-'END' | chpasswd -e
root:$1$Ft51DyT7$zoC8UOkl5/9B3hBwV4Mgy/
chendry:$1$oJzVwv06$.seYE/UPSW9do8xjyMhCu.
END

The “$1$” at the beginning of the hashed password indicates the algorithm which in this case is MD5.

In some distributions you can use mkpasswd to specify a stronger hashing algorithm such as SHA-512. Arch doesn’t ship with mkpasswd, but you can use passwd and copy the hashed password (the second colon-delimited field) directly from /etc/shadow:

cat<<-'END' | chpasswd -e
root:$6$DKk7Gt1Q$QncnPoiViFHa11/M7fjgv0rPEPp6uBSaBe7YsusJfuuBemZ8hQ74H0rpo2cdBpD0dGawRqGKHO8YE9pPO0NBD1
chendry:$6$RVpfhk0i$vW4cmRJp5dNr3OYSChdii2t2EXyPvPzWUCzAyb8JX.nJcPau0NGEcIiO1rP9WYnCdaTesZZNZB.KV.z3mnhmY.
END