I'm sure this is a solved problem, but I can't think what the solution is.

Maybe it is, but I'm not aware of a reusable implementation of that solution...

Can the script request a password from another place without a coder who is editing the script being able to view the password?

In the near future I will have to implement something like that, my ideas so far:

• script opens a secure connection to a secure password server (protocol irrelevant, ssl/http, ssl/soap, ssh, whatever) and keeps the connection open waiting for a response
• server process opens a ssh connection to the machine of the supplicant, with pubkey authentication
• server checks client process, uid, script checksum, open file descriptors etc to be sure this client is the right one to be answered - and that nobody tampers with or traces it
• if checks are positive (checks are done against database entries on the server) the server emits the password to the client and closes the connection

That way it is the password server's duty to make sure it deals out credentials only to authorized clients. Every change to the client script, i.e. its checksum must be propagated to the server. While it is not impossible for a third party to get the password on the client's machine (which is always compromised in the view of the password server), it is much more difficult than reading a configuration file or the scripts source code.

Security stands and falls with the ability of the granting part to verify the integrity of the requesting part, which might be impossible. But any attempt is better than nothing. There's no limit to "paranoia" ;-)