diff --git a/auth/csvauth/credential.go b/auth/csvauth/credential.go
index 6807ef4..96f87c7 100644
--- a/auth/csvauth/credential.go
+++ b/auth/csvauth/credential.go
@@ -19,11 +19,25 @@ const DefaultPurpose = "login"
 type Purpose = string
 type Name = string
 
+type secretValue string
+
+func (s secretValue) String() string {
+	return "[redacted]"
+}
+
+func (s secretValue) GoString() string {
+	return `"[redacted]"`
+}
+
+func (s secretValue) MarshalText() string {
+	return s.String()
+}
+
 // Credential represents a row in the CSV file
 type Credential struct {
 	Purpose Purpose
 	Name    Name
-	plain   string
+	plain   secretValue
 	Params  []string
 	Salt    []byte
 	Derived []byte
@@ -32,7 +46,7 @@ type Credential struct {
 }
 
 func (c Credential) Secret() string {
-	return c.plain
+	return string(c.plain)
 }
 
 func FromRecord(record []string) (Credential, error) {
@@ -94,7 +108,7 @@ func FromFields(purpose, name, paramList, saltBase64, derived, roleList, extra s
 			return credential, fmt.Errorf("invalid plain parameters %#v", credential.Params)
 		}
 
-		credential.plain = derived
+		credential.plain = secretValue(derived)
 		h := sha256.Sum256([]byte(derived))
 		credential.Derived = h[:]
 	case "pbkdf2":
@@ -152,7 +166,7 @@ func (c Credential) ToRecord() []string {
 		derived = base64.RawURLEncoding.EncodeToString(c.Derived)
 	case "plain":
 		salt = ""
-		derived = c.plain
+		derived = string(c.plain)
 	case "pbkdf2":
 		salt = base64.RawURLEncoding.EncodeToString(c.Salt)
 		derived = base64.RawURLEncoding.EncodeToString(c.Derived)
diff --git a/auth/csvauth/csvauth.go b/auth/csvauth/csvauth.go
index ad7bc97..d5b6c14 100644
--- a/auth/csvauth/csvauth.go
+++ b/auth/csvauth/csvauth.go
@@ -150,7 +150,7 @@ func (a *Auth) NewCredential(purpose, name, secret string, params []string, role
 			fmt.Fprintf(os.Stderr, "invalid plain algorithm format: %q\n", strings.Join(params, " "))
 			os.Exit(1)
 		}
-		c.plain = secret
+		c.plain = secretValue(secret)
 
 		c.Params = []string{"plain"}
 		h := sha256.Sum256([]byte(secret))
@@ -171,7 +171,7 @@ func (a *Auth) NewCredential(purpose, name, secret string, params []string, role
 		var err error
 		var salt [12]byte
 		copy(salt[:], c.Salt)
-		c.plain = secret
+		c.plain = secretValue(secret)
 		c.Derived, err = gcmEncrypt(a.aes128key, salt, secret)
 		if err != nil {
 			fmt.Fprintf(os.Stderr, "could not aes-128-gcm encrypt secret: %v\n", err)
@@ -332,12 +332,13 @@ func (a *Auth) LoadServiceAccount(purpose Purpose) (Credential, error) {
 	return c, nil
 }
 
-func (a *Auth) maybeDecryptCredential(c Credential) (string, error) {
+func (a *Auth) maybeDecryptCredential(c Credential) (secretValue, error) {
 	switch c.Params[0] {
 	case "aes-128-gcm":
 		var salt [12]byte
 		copy(salt[:], c.Salt)
-		return a.gcmDecrypt(a.aes128key, salt, c.Derived)
+		plain, err := a.gcmDecrypt(a.aes128key, salt, c.Derived)
+		return secretValue(plain), err
 	default:
 		break
 	}