diff --git a/keystoneauth1/extras/_saml2/_loading.py b/keystoneauth1/extras/_saml2/_loading.py
index 62ad42ad..1908ea9b 100644
--- a/keystoneauth1/extras/_saml2/_loading.py
+++ b/keystoneauth1/extras/_saml2/_loading.py
@@ -28,7 +28,7 @@ class Saml2Password(loading.BaseFederationLoader):
                         help=('An Identity Provider URL, where the SAML2 '
                               'authentication request will be sent.')),
             loading.Opt('username', help='Username'),
-            loading.Opt('password', help='Password')
+            loading.Opt('password', secret=True, help='Password')
         ])
 
         return options
@@ -47,7 +47,7 @@ class ADFSPassword(loading.BaseFederationLoader):
             loading.Opt('service-provider-endpoint',
                         help="Service Provider's Endpoint"),
             loading.Opt('username', help='Username'),
-            loading.Opt('password', help='Password')
+            loading.Opt('password', secret=True, help='Password')
         ])
 
         return options
diff --git a/keystoneauth1/loading/_plugins/identity/generic.py b/keystoneauth1/loading/_plugins/identity/generic.py
index 8d4670d2..68c48159 100644
--- a/keystoneauth1/loading/_plugins/identity/generic.py
+++ b/keystoneauth1/loading/_plugins/identity/generic.py
@@ -24,7 +24,8 @@ class Token(loading.BaseGenericLoader):
         options = super(Token, self).get_options()
 
         options.extend([
-            loading.Opt('token', help='Token to authenticate with'),
+            loading.Opt('token', secret=True,
+                        help='Token to authenticate with'),
         ])
 
         return options
@@ -46,6 +47,6 @@ class Password(loading.BaseGenericLoader):
                         deprecated=[loading.Opt('username')]),
             loading.Opt('user-domain-id', help="User's domain id"),
             loading.Opt('user-domain-name', help="User's domain name"),
-            loading.Opt('password', help="User's password"),
+            loading.Opt('password', secret=True, help="User's password"),
         ])
         return options
diff --git a/keystoneauth1/loading/_plugins/identity/v3.py b/keystoneauth1/loading/_plugins/identity/v3.py
index 3f476706..a77415bc 100644
--- a/keystoneauth1/loading/_plugins/identity/v3.py
+++ b/keystoneauth1/loading/_plugins/identity/v3.py
@@ -74,7 +74,8 @@ class _OpenIDConnectBase(loading.BaseFederationLoader):
 
         options.extend([
             loading.Opt('client-id', help='OAuth 2.0 Client ID'),
-            loading.Opt('client-secret', help='OAuth 2.0 Client Secret'),
+            loading.Opt('client-secret', secret=True,
+                        help='OAuth 2.0 Client Secret'),
             loading.Opt('access-token-endpoint',
                         help='OpenID Connect Provider Token Endpoint'),
             loading.Opt('access-token-type',
@@ -99,7 +100,7 @@ class OpenIDConnectPassword(_OpenIDConnectBase):
 
         options.extend([
             loading.Opt('username', help='Username'),
-            loading.Opt('password', help='Password'),
+            loading.Opt('password', secret=True, help='Password'),
             loading.Opt('openid-scope', default="profile",
                         help='OpenID Connect scope that is requested from OP')
         ])
@@ -118,7 +119,7 @@ class OpenIDConnectAuthorizationCode(_OpenIDConnectBase):
 
         options.extend([
             loading.Opt('redirect-uri', help='OpenID Connect Redirect URL'),
-            loading.Opt('authorization-code',
+            loading.Opt('authorization-code', secret=True,
                         help='OAuth 2.0 Authorization Code'),
         ])