If the intention is to connect to a remote database, then a local internal logon will not work.
In that case the user can use the TWO_TASK variable to hide the identify of the database from the command line, and only specify the username on the command line - forcing sqlplus to prompt for the password.
/home/billy> export TWO_TASK=dev1 /home/billy> sqlplus billy SQL*Plus: Release 188.8.131.52.0 Production on Mon Jul 1 07:35:38 2013 Copyright (c) 1982, 2011, Oracle. All rights reserved. Enter password: Connected to: Oracle Database 11g Enterprise Edition Release 184.108.40.206.0 - 64bit Production With the Partitioning, Real Application Clusters, Automatic Storage Management, Oracle Label Security, OLAP, Data Mining, Oracle Database Vault and Real Application Testing options Session altered. SQL> !ps -fu billy | grep sqlplus | grep -v grep billy 32521 2177 0 07:35 pts/8 00:00:00 rlwrap /home/billy/instantclient_11_2/sqlplus billy billy 32522 32521 0 07:35 pts/14 00:00:00 /home/billy/instantclient_11_2/sqlplus SQL>
As you can see, the only details available by looking at the process's command line is the schema name used as logon. No database details. No password details.