diff --git a/config/config.go b/config/config.go
index 309ba90611..281435ce5f 100644
--- a/config/config.go
+++ b/config/config.go
@@ -20,6 +20,7 @@ var (
 	patJobName    = regexp.MustCompile(`^[a-zA-Z_][a-zA-Z0-9_-]*$`)
 	patFileSDName = regexp.MustCompile(`^[^*]*(\*[^/]*)?\.(json|yml|yaml|JSON|YML|YAML)$`)
 	patRulePath   = regexp.MustCompile(`^[^*]*(\*[^/]*)?$`)
+	patAuthLine   = regexp.MustCompile(`((?:username|password):\s+)(".+"|'.+'|[^\s]+)`)
 )
 
 // Load parses the YAML input s into a Config.
@@ -118,14 +119,17 @@ func checkOverflow(m map[string]interface{}, ctx string) error {
 }
 
 func (c Config) String() string {
+	var s string
 	if c.original != "" {
-		return c.original
+		s = c.original
+	} else {
+		b, err := yaml.Marshal(c)
+		if err != nil {
+			return fmt.Sprintf("<error creating config string: %s>", err)
+		}
+		s = string(b)
 	}
-	b, err := yaml.Marshal(c)
-	if err != nil {
-		return fmt.Sprintf("<error creating config string: %s>", err)
-	}
-	return string(b)
+	return patAuthLine.ReplaceAllString(s, "${1}<hidden>")
 }
 
 // UnmarshalYAML implements the yaml.Unmarshaler interface.
diff --git a/config/config_test.go b/config/config_test.go
index e41228d294..bba5fea1a3 100644
--- a/config/config_test.go
+++ b/config/config_test.go
@@ -85,8 +85,8 @@ var expectedConf = &Config{
 			ScrapeTimeout:  Duration(5 * time.Second),
 
 			BasicAuth: &BasicAuth{
-				Username: "admin",
-				Password: "password",
+				Username: "admin_name",
+				Password: "admin_password",
 			},
 			MetricsPath: "/my_path",
 			Scheme:      "https",
@@ -183,6 +183,12 @@ func TestLoadConfig(t *testing.T) {
 	if !reflect.DeepEqual(c, expectedConf) {
 		t.Fatalf("%s: unexpected config result: \n\n%s\n expected\n\n%s", "testdata/conf.good.yml", bgot, bexp)
 	}
+
+	// String method must not reveal authentication credentials.
+	s := c.String()
+	if strings.Contains(s, "admin_name") || strings.Contains(s, "admin_password") {
+		t.Fatalf("config's String method reveals authentication credentials.")
+	}
 }
 
 var expectedErrors = []struct {
diff --git a/config/testdata/conf.good.yml b/config/testdata/conf.good.yml
index 9bbf24f193..63338c60b9 100644
--- a/config/testdata/conf.good.yml
+++ b/config/testdata/conf.good.yml
@@ -49,8 +49,8 @@ scrape_configs:
 - job_name: service-x
 
   basic_auth:
-    username: admin
-    password: password
+    username: admin_name
+    password: admin_password
 
   scrape_interval: 50s
   scrape_timeout:  5s