diff --git a/api/common/logging.go b/api/common/logging.go
index 64d56fe12..7e10cfe9a 100644
--- a/api/common/logging.go
+++ b/api/common/logging.go
@@ -6,6 +6,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/sirupsen/logrus"
+	"strings"
 )
 
 func SetLogLevel(ll string) {
@@ -80,3 +81,14 @@ func SetLogDest(to, prefix string) {
 		logrus.WithFields(logrus.Fields{"scheme": parsed.Scheme, "to": to}).Error("unknown logging location scheme, defaulting to stderr")
 	}
 }
+
+// MaskPassword returns a stringified URL without its password visible
+func MaskPassword(u *url.URL) string {
+	if u.User != nil {
+		p, set := u.User.Password()
+		if set {
+			return strings.Replace(u.String(), p+"@", "***@", 1)
+		}
+	}
+	return u.String()
+}
diff --git a/api/datastore/sql/sql.go b/api/datastore/sql/sql.go
index 5dfb3eae2..d26abf44a 100644
--- a/api/datastore/sql/sql.go
+++ b/api/datastore/sql/sql.go
@@ -143,7 +143,7 @@ func (sqlLogsProvider) New(ctx context.Context, u *url.URL) (models.LogStore, er
 func newDS(ctx context.Context, url *url.URL) (*SQLStore, error) {
 	driver := url.Scheme
 
-	log := common.Logger(ctx)
+	log := common.Logger(ctx).WithFields(logrus.Fields{"url": common.MaskPassword(url)})
 	helper, ok := dbhelper.GetHelper(driver)
 
 	if !ok {
@@ -160,7 +160,7 @@ func newDS(ctx context.Context, url *url.URL) (*SQLStore, error) {
 
 	sqldb, err := sql.Open(driver, uri)
 	if err != nil {
-		log.WithFields(logrus.Fields{"url": uri}).WithError(err).Error("couldn't open db")
+		log.WithError(err).Error("couldn't open db")
 		return nil, err
 	}
 
@@ -169,7 +169,7 @@ func newDS(ctx context.Context, url *url.URL) (*SQLStore, error) {
 	// force a connection and test that it worked
 	err = pingWithRetry(ctx, db)
 	if err != nil {
-		log.WithFields(logrus.Fields{"url": uri}).WithError(err).Error("couldn't ping db")
+		log.WithError(err).Error("couldn't ping db")
 		return nil, err
 	}