diff --git a/tacker/api/v1/base.py b/tacker/api/v1/base.py
index 2cb60f90c..67d83dd5c 100644
--- a/tacker/api/v1/base.py
+++ b/tacker/api/v1/base.py
@@ -18,6 +18,7 @@ from six import iteritems
 import webob.exc
 
 from oslo_log import log as logging
+from oslo_utils import strutils
 
 from tacker.api import api_common
 from tacker.api.v1 import attributes
@@ -505,7 +506,8 @@ class Controller(object):
         if not body:
             raise webob.exc.HTTPBadRequest(_("Resource body required"))
 
-        LOG.debug(_("Request body: %(body)s"), {'body': body})
+        LOG.debug(_("Request body: %(body)s"), {'body':
+                                               strutils.mask_password(body)})
         prep_req_body = lambda x: Controller.prepare_request_body(
             context,
             x if resource in x else {resource: x},
diff --git a/tacker/common/log.py b/tacker/common/log.py
index b93017d0f..fa203147a 100644
--- a/tacker/common/log.py
+++ b/tacker/common/log.py
@@ -16,6 +16,7 @@
 """Log helper functions."""
 
 from oslo_log import log as logging
+from oslo_utils import strutils
 
 LOG = logging.getLogger(__name__)
 
@@ -27,7 +28,8 @@ def log(method):
         data = {"class_name": (instance.__class__.__module__ + '.'
                                + instance.__class__.__name__),
                 "method_name": method.__name__,
-                "args": args[1:], "kwargs": kwargs}
+                "args": strutils.mask_password(args[1:]),
+                "kwargs": strutils.mask_password(kwargs)}
         LOG.debug(_('%(class_name)s method %(method_name)s'
                     ' called with arguments %(args)s %(kwargs)s'), data)
         return method(*args, **kwargs)
diff --git a/tacker/nfvo/nfvo_plugin.py b/tacker/nfvo/nfvo_plugin.py
index ac9b91895..3a8cdc410 100644
--- a/tacker/nfvo/nfvo_plugin.py
+++ b/tacker/nfvo/nfvo_plugin.py
@@ -21,6 +21,7 @@ import uuid
 from oslo_config import cfg
 from oslo_log import log as logging
 from oslo_utils import excutils
+from oslo_utils import strutils
 
 from tacker.common import driver_manager
 from tacker.common import log
@@ -77,7 +78,8 @@ class NfvoPlugin(nfvo_db.NfvoPluginDb):
 
     @log.log
     def create_vim(self, context, vim):
-        LOG.debug(_('Create vim called with parameters %s'), vim)
+        LOG.debug(_('Create vim called with parameters %s'),
+             strutils.mask_password(vim))
         vim_obj = vim['vim']
         vim_type = vim_obj['type']
         vim_obj['id'] = str(uuid.uuid4())
diff --git a/tacker/tests/unit/test_common_log.py b/tacker/tests/unit/test_common_log.py
index fd37046d3..5eb484918 100644
--- a/tacker/tests/unit/test_common_log.py
+++ b/tacker/tests/unit/test_common_log.py
@@ -68,3 +68,12 @@ class TestCallLog(base.BaseTestCase):
             self.klass.test_method(10, arg2=20, arg3=30, arg4=40)
             log_debug.assert_called_once_with(self.expected_format,
                                               self.expected_data)
+
+    def test_call_log_password_mask_args_kwargs(self):
+        auth_cred = {'userame': 'demo', 'password': 'changeit'}
+        self.expected_data['kwargs'] = {'password': '***'}
+        self.expected_data['args'] = ({'userame': 'demo', 'password': '***'})
+        with mock.patch.object(call_log.LOG, 'debug') as log_debug:
+            self.klass.test_method(auth_cred, password='guessme')
+            log_debug.assert_called_once_with(self.expected_format,
+                                              self.expected_data)