Terraform, an infrastructure as code (IaC) tool, requires careful handling of secrets like passwords and API keys to avoid security breaches. Best practices for managing these secrets include using variables instead of hardcoding them, leveraging secrets managers such as AWS Secrets Manager, and utilizing ephemeral resources introduced in Terraform 1.10. Ephemeral resources allow Terraform to use sensitive data without persisting it in the state or plan, thereby minimizing the risk of leaks. Additionally, the sensitive flag can protect sensitive values from being exposed in CLI outputs. Storing Terraform state in secure, encrypted remote backends is also recommended to protect sensitive information. Together, these strategies enhance security while maintaining the automation and reusability benefits of IaC.