diff --git a/builtin/providers/aws/resource_aws_db_instance.go b/builtin/providers/aws/resource_aws_db_instance.go
index bf4076c45..55eb85cd9 100644
--- a/builtin/providers/aws/resource_aws_db_instance.go
+++ b/builtin/providers/aws/resource_aws_db_instance.go
@@ -44,8 +44,9 @@ func resourceAwsDbInstance() *schema.Resource {
 			},
 
 			"password": &schema.Schema{
-				Type:     schema.TypeString,
-				Optional: true,
+				Type:      schema.TypeString,
+				Optional:  true,
+				Sensitive: true,
 			},
 
 			"engine": &schema.Schema{
diff --git a/command/format_plan.go b/command/format_plan.go
index 9ef62b4bf..a32fbf2a8 100644
--- a/command/format_plan.go
+++ b/command/format_plan.go
@@ -147,26 +147,38 @@ func formatPlanModuleExpand(
 				v = "<computed>"
 			}
 
-			newResource := ""
+			if attrDiff.Sensitive {
+				v = "<sensitive>"
+			}
+
+			updateMsg := ""
 			if attrDiff.RequiresNew && rdiff.Destroy {
-				newResource = opts.Color.Color(" [red](forces new resource)")
+				updateMsg = opts.Color.Color(" [red](forces new resource)")
+			} else if attrDiff.Sensitive && oldValues {
+				updateMsg = opts.Color.Color(" [yellow](attribute changed)")
 			}
 
 			if oldValues {
+				var u string
+				if attrDiff.Sensitive {
+					u = "<sensitive>"
+				} else {
+					u = attrDiff.Old
+				}
 				buf.WriteString(fmt.Sprintf(
 					"    %s:%s %#v => %#v%s\n",
 					attrK,
 					strings.Repeat(" ", keyLen-len(attrK)),
-					attrDiff.Old,
+					u,
 					v,
-					newResource))
+					updateMsg))
 			} else {
 				buf.WriteString(fmt.Sprintf(
 					"    %s:%s %#v%s\n",
 					attrK,
 					strings.Repeat(" ", keyLen-len(attrK)),
 					v,
-					newResource))
+					updateMsg))
 			}
 		}
 
diff --git a/command/hook_ui.go b/command/hook_ui.go
index 736dd3914..2270a1dea 100644
--- a/command/hook_ui.go
+++ b/command/hook_ui.go
@@ -103,15 +103,21 @@ func (h *UiHook) PreApply(
 		attrDiff := d.Attributes[attrK]
 
 		v := attrDiff.New
+		u := attrDiff.Old
 		if attrDiff.NewComputed {
 			v = "<computed>"
 		}
 
+		if attrDiff.Sensitive {
+			u = "<sensitive>"
+			v = "<sensitive>"
+		}
+
 		attrBuf.WriteString(fmt.Sprintf(
 			"  %s:%s %#v => %#v\n",
 			attrK,
 			strings.Repeat(" ", keyLen-len(attrK)),
-			attrDiff.Old,
+			u,
 			v))
 	}
 
diff --git a/helper/schema/schema.go b/helper/schema/schema.go
index a113273f3..6062b47b9 100644
--- a/helper/schema/schema.go
+++ b/helper/schema/schema.go
@@ -147,6 +147,12 @@ type Schema struct {
 	//
 	// ValidateFunc currently only works for primitive types.
 	ValidateFunc SchemaValidateFunc
+
+	// Sensitive ensures that the attribute's value does not get displayed in
+	// logs or regular output. It should be used for passwords or other
+	// secret fields. Futrure versions of Terraform may encrypt these
+	// values.
+	Sensitive bool
 }
 
 // SchemaDefaultFunc is a function called to return a default value for
@@ -281,6 +287,11 @@ func (s *Schema) finalizeDiff(
 		d.RequiresNew = true
 	}
 
+	if s.Sensitive {
+		// Set the Sensitive flag so output is hidden in the UI
+		d.Sensitive = true
+	}
+
 	return d
 }
 
diff --git a/terraform/diff.go b/terraform/diff.go
index 73d56f823..8c26e16ff 100644
--- a/terraform/diff.go
+++ b/terraform/diff.go
@@ -247,22 +247,30 @@ func (d *ModuleDiff) String() string {
 			attrDiff := rdiff.Attributes[attrK]
 
 			v := attrDiff.New
+			u := attrDiff.Old
 			if attrDiff.NewComputed {
 				v = "<computed>"
 			}
 
-			newResource := ""
+			if attrDiff.Sensitive {
+				u = "<sensitive>"
+				v = "<sensitive>"
+			}
+
+			updateMsg := ""
 			if attrDiff.RequiresNew {
-				newResource = " (forces new resource)"
+				updateMsg = " (forces new resource)"
+			} else if attrDiff.Sensitive {
+				updateMsg = " (attribute changed)"
 			}
 
 			buf.WriteString(fmt.Sprintf(
 				"  %s:%s %#v => %#v%s\n",
 				attrK,
 				strings.Repeat(" ", keyLen-len(attrK)),
-				attrDiff.Old,
+				u,
 				v,
-				newResource))
+				updateMsg))
 		}
 	}
 
@@ -284,6 +292,7 @@ type ResourceAttrDiff struct {
 	NewRemoved  bool        // True if this attribute is being removed
 	NewExtra    interface{} // Extra information for the provider
 	RequiresNew bool        // True if change requires new resource
+	Sensitive   bool        // True if the data should not be displayed in UI output
 	Type        DiffAttrType
 }
 
diff --git a/terraform/diff_test.go b/terraform/diff_test.go
index 6dbdd505e..926a093d4 100644
--- a/terraform/diff_test.go
+++ b/terraform/diff_test.go
@@ -153,6 +153,11 @@ func TestModuleDiff_String(t *testing.T) {
 						New:         "bar",
 						RequiresNew: true,
 					},
+					"secretfoo": &ResourceAttrDiff{
+						Old:       "foo",
+						New:       "bar",
+						Sensitive: true,
+					},
 				},
 			},
 		},
@@ -607,7 +612,8 @@ func TestInstanceDiffSame(t *testing.T) {
 
 const moduleDiffStrBasic = `
 CREATE: nodeA
-  bar:     "foo" => "<computed>"
-  foo:     "foo" => "bar"
-  longfoo: "foo" => "bar" (forces new resource)
+  bar:       "foo" => "<computed>"
+  foo:       "foo" => "bar"
+  longfoo:   "foo" => "bar" (forces new resource)
+  secretfoo: "<sensitive>" => "<sensitive>" (attribute changed)
 `