diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8edea3e24..e16c207ae 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,4 @@
+  - Don't log sensitive data on start (#463) @jvassev
   - Google: Improve logging to help trace misconfigurations (#388) @stealthybox
   - AWS: In addition to the one best public hosted zone, records will be added to all matching private hosted zones (#356) @coreypobrien
   - Every record managed by External DNS is now mapped to a kubernetes resource (service/ingress) @ideahitme
diff --git a/main.go b/main.go
index 49841eaa3..1a6d86bca 100644
--- a/main.go
+++ b/main.go
@@ -41,7 +41,7 @@ func main() {
 	if err := cfg.ParseFlags(os.Args[1:]); err != nil {
 		log.Fatalf("flag parsing error: %v", err)
 	}
-	log.Infof("config: %+v", cfg)
+	log.Infof("config: %s", cfg)
 
 	if err := validation.ValidateConfig(cfg); err != nil {
 		log.Fatalf("config validation failed: %v", err)
diff --git a/pkg/apis/externaldns/types.go b/pkg/apis/externaldns/types.go
index 22aa91dad..69d67f99c 100644
--- a/pkg/apis/externaldns/types.go
+++ b/pkg/apis/externaldns/types.go
@@ -17,6 +17,7 @@ limitations under the License.
 package externaldns
 
 import (
+	"fmt"
 	"strconv"
 	"time"
 
@@ -24,6 +25,10 @@ import (
 	"github.com/sirupsen/logrus"
 )
 
+const (
+	passwordMask = "******"
+)
+
 var (
 	// Version is the current version of the app, generated at build time
 	Version = "unknown"
@@ -109,6 +114,19 @@ func NewConfig() *Config {
 	return &Config{}
 }
 
+func (cfg *Config) String() string {
+	// prevent logging of sensitive information
+	temp := *cfg
+	if temp.DynPassword != "" {
+		temp.DynPassword = passwordMask
+	}
+	if temp.InfobloxWapiPassword != "" {
+		temp.InfobloxWapiPassword = passwordMask
+	}
+
+	return fmt.Sprintf("%+v", temp)
+}
+
 // allLogLevelsAsStrings returns all logrus levels as a list of strings
 func allLogLevelsAsStrings() []string {
 	var levels []string