I'd suggest that putting obfuscated code into any production arena is always a bad thing.

Instead if I were in this situation I'd make the script setuid root (or give it a setuid wrapper if you don't have secure setuid scripts on your O/S) and arrange that the user cannot read or modify it.

That frees you up to put both code and password in plain text.

Hugo