diff --git a/oslo_utils/strutils.py b/oslo_utils/strutils.py
index bb08eb97..279a6fb9 100644
--- a/oslo_utils/strutils.py
+++ b/oslo_utils/strutils.py
@@ -54,12 +54,19 @@ SLUGIFY_STRIP_RE = re.compile(r"[^\w\s-]")
 SLUGIFY_HYPHENATE_RE = re.compile(r"[-\s]+")
 
 
-# NOTE(flaper87): The following globals are used by `mask_password`
-_SANITIZE_KEYS = ['adminPass', 'admin_pass', 'password', 'admin_password',
+# NOTE(flaper87): The following globals are used by `mask_password` and
+#                 `mask_dict_password`
+_SANITIZE_KEYS = ['adminpass', 'admin_pass', 'password', 'admin_password',
                   'auth_token', 'new_pass', 'auth_password', 'secret_uuid',
                   'secret', 'sys_pswd', 'token', 'configdrive',
-                  'CHAPPASSWORD', 'encrypted_key', 'private_key',
-                  'encryption_key_id', 'fernetkey', 'sslkey', 'passphrase']
+                  'chappassword', 'encrypted_key', 'private_key',
+                  'encryption_key_id', 'fernetkey', 'sslkey', 'passphrase',
+                  'cephclusterfsid', 'octaviaheartbeatkey', 'rabbitcookie',
+                  'cephmanilaclientkey', 'pacemakerremoteauthkey',
+                  'designaterndckey', 'cephadminkey', 'heatauthencryptionkey',
+                  'cephclientkey', 'keystonecredential',
+                  'barbicansimplecryptokek', 'cephrgwkey', 'swifthashsuffix',
+                  'migrationsshkey', 'cephmdskey', 'cephmonkey']
 
 # NOTE(ldbragst): Let's build a list of regex objects using the list of
 # _SANITIZE_KEYS we already have. This way, we only have to add the new key
@@ -408,7 +415,7 @@ def mask_dict_password(dictionary, secret="***"):  # nosec
         k_matched = False
         if isinstance(k, six.string_types):
             for sani_key in _SANITIZE_KEYS:
-                if sani_key in k:
+                if sani_key.lower() in k.lower():
                     out[k] = secret
                     k_matched = True
                     break
diff --git a/oslo_utils/tests/test_strutils.py b/oslo_utils/tests/test_strutils.py
index ebfb2cd6..ceb5fdcb 100644
--- a/oslo_utils/tests/test_strutils.py
+++ b/oslo_utils/tests/test_strutils.py
@@ -691,6 +691,16 @@ class MaskDictionaryPasswordTestCase(test_base.BaseTestCase):
         self.assertEqual(expected,
                          strutils.mask_dict_password(payload))
 
+        payload = {'passwords': {'KeystoneFernetKey1': 'c5FijjS'}}
+        expected = {'passwords': {'KeystoneFernetKey1': '***'}}
+        self.assertEqual(expected,
+                         strutils.mask_dict_password(payload))
+
+        payload = {'passwords': {'keystonecredential0': 'c5FijjS'}}
+        expected = {'passwords': {'keystonecredential0': '***'}}
+        self.assertEqual(expected,
+                         strutils.mask_dict_password(payload))
+
     def test_do_no_harm(self):
         payload = {}
         expected = {}
diff --git a/releasenotes/notes/mask-dict-passwords-99357ffb7972fb0b.yaml b/releasenotes/notes/mask-dict-passwords-99357ffb7972fb0b.yaml
new file mode 100644
index 00000000..6303534b
--- /dev/null
+++ b/releasenotes/notes/mask-dict-passwords-99357ffb7972fb0b.yaml
@@ -0,0 +1,9 @@
+---
+security:
+  - |
+    This patch ensures that we mask sensitive data when masking dicts, even if
+    the case doesn't match. This means the behaviour of mask_password and
+    mask_dict_password is now the same.
+  - |
+    Additional password names were included from real world logs that contained
+    sensitive information.
\ No newline at end of file