diff --git a/mmcli.py b/mmcli.py
index 91f08e1..deaaf4d 100755
--- a/mmcli.py
+++ b/mmcli.py
@@ -451,15 +451,20 @@ Hint: JSON output can be filtered with jq(1).
 
 	subparsers = argparser.add_subparsers(title="actions", dest="action", required=True)
 
-	parser_login = subparsers.add_parser("login", help="retrieve an access token")
+	password_argument_warning = f"""
+Security note: Other programs and users can typically read which arguments you give to any program. Therefore it strongly advised to use the environment variable (envvar) method when passing the credentials to the program. In many shells you can do so like this:
+  {ENVVAR_USERNAME}='aiden' {ENVVAR_PASSWORD}='2FifeVg2UGbCETYdaWscf7hmDvUHbp' {prog_name} login
+	""".strip()
+	parser_login = subparsers.add_parser(
+		"login", help="retrieve an access token", epilog=password_argument_warning, formatter_class=argparse.RawTextHelpFormatter)
 	parser_login.add_argument(
 		"login_id",
 		help=f"username or email; envvar: {ENVVAR_USERNAME}",
 		default=os.getenv(ENVVAR_USERNAME))
 	parser_login.add_argument(
-		"--password", help=f"envvar: {ENVVAR_PASSWORD}", default=os.getenv(ENVVAR_PASSWORD))
+		"--password", help=f"see security note below; envvar: {ENVVAR_PASSWORD}", default=os.getenv(ENVVAR_PASSWORD))
 	parser_login.add_argument(
-		"--totp", help=f"envvar: {ENVVAR_TOTP}", default=os.getenv(ENVVAR_TOTP))
+		"--totp", help=f"see security note below; envvar: {ENVVAR_TOTP}", default=os.getenv(ENVVAR_TOTP))
 
 	# TODO support multiple channels
 	# parser_cat = subparsers.add_parser("cat", help="list messages in channel(s)")