diff --git a/openstack/common/log.py b/openstack/common/log.py
index 84ecb1284..09fb88416 100644
--- a/openstack/common/log.py
+++ b/openstack/common/log.py
@@ -59,7 +59,10 @@ _SANITIZE_PATTERNS = []
 _FORMAT_PATTERNS = [r'(%(key)s\s*[=]\s*[\"\']).*?([\"\'])',
                     r'(<%(key)s>).*?(</%(key)s>)',
                     r'([\"\']%(key)s[\"\']\s*:\s*[\"\']).*?([\"\'])',
-                    r'([\'"].*?%(key)s[\'"]\s*:\s*u?[\'"]).*?([\'"])']
+                    r'([\'"].*?%(key)s[\'"]\s*:\s*u?[\'"]).*?([\'"])',
+                    r'([\'"].*?%(key)s[\'"]\s*,\s*\'--?[A-z]+\'\s*,\s*u?[\'"])'
+                    '.*?([\'"])',
+                    r'(%(key)s\s*--?[A-z]+\s*).*?([\s])']
 
 for key in _SANITIZE_KEYS:
     for pattern in _FORMAT_PATTERNS:
diff --git a/openstack/common/processutils.py b/openstack/common/processutils.py
index f0909f9b0..0eb084c87 100644
--- a/openstack/common/processutils.py
+++ b/openstack/common/processutils.py
@@ -156,7 +156,7 @@ def execute(*cmd, **kwargs):
         attempts -= 1
         try:
             LOG.log(loglevel, 'Running cmd (subprocess): %s',
-                    ' '.join(cmd))
+                    ' '.join(logging.mask_password(cmd)))
             _PIPE = subprocess.PIPE  # pylint: disable=E1101
 
             if os.name == 'nt':
diff --git a/tests/unit/test_log.py b/tests/unit/test_log.py
index 74e7df47e..65eb390cc 100644
--- a/tests/unit/test_log.py
+++ b/tests/unit/test_log.py
@@ -894,3 +894,25 @@ class MaskPasswordTestCase(test_base.BaseTestCase):
         payload = six.text_type(payload)
         expected = """{'adminPass':'***'}"""
         self.assertEqual(expected, log.mask_password(payload))
+
+        payload = ("test = 'node.session.auth.password','-v','mypassword',"
+                   "'nomask'")
+        expected = ("test = 'node.session.auth.password','-v','***',"
+                    "'nomask'")
+        self.assertEqual(expected, log.mask_password(payload))
+
+        payload = ("test = 'node.session.auth.password', '--password', "
+                   "'mypassword', 'nomask'")
+        expected = ("test = 'node.session.auth.password', '--password', "
+                    "'***', 'nomask'")
+        self.assertEqual(expected, log.mask_password(payload))
+
+        payload = "test = node.session.auth.password -v mypassword nomask"
+        expected = "test = node.session.auth.password -v *** nomask"
+        self.assertEqual(expected, log.mask_password(payload))
+
+        payload = ("test = node.session.auth.password --password mypassword "
+                   "nomask")
+        expected = ("test = node.session.auth.password --password *** "
+                    "nomask")
+        self.assertEqual(expected, log.mask_password(payload))