diff --git a/.gitlab/merge_request_templates/Default.md b/.gitlab/merge_request_templates/Default.md
new file mode 100644
index 0000000000000000000000000000000000000000..a8c5b719ad5f8e18c2fd68d2daa1e5c62f94d450
--- /dev/null
+++ b/.gitlab/merge_request_templates/Default.md
@@ -0,0 +1,48 @@
+# Summary
+
+    Insert a meaningful description for this merge request here.  What is the
+    new/changed behavior? Which bug has been fixed? Are there related Issues?
+
+# Focus
+
+    Point the reviewer to the core of the code change. Where should they start
+    reading? What should they focus on (e.g. security, performance,
+    maintainability, user-friendliness, compliance with the specs, finding more
+    corner cases, concrete questions)?
+
+# Test Environment
+
+    How to set up a test environment for manual testing?
+
+# Check List for the Author
+
+Please, prepare your MR for a review. Be sure to write a summary and a
+focus and create gitlab comments for the reviewer. They should guide the
+reviewer through the changes, explain your changes and also point out open
+questions. For further good practices have a look at [our review
+guidelines](https://gitlab.com/caosdb/caosdb/-/blob/dev/REVIEW_GUIDELINES.md)
+
+- [ ] All automated tests pass
+- [ ] Reference related Issues
+- [ ] Up-to-date CHANGELOG.md
+- [ ] Annotations in code (Gitlab comments)
+  - Intent of new code
+  - Problems with old code
+  - Why this implementation?
+
+
+# Check List for the Reviewer
+
+
+- [ ] I understand the intent of this MR
+- [ ] All automated tests pass
+- [ ] Up-to-date CHANGELOG.md
+- [ ] The test environment setup works and the intended behavior is
+  reproducible in the test environment
+- [ ] In-code documentation and comments are up-to-date.
+- [ ] Check: Are there spezifications? Are they satisfied?
+
+For further good practices have a look at [our review guidelines](https://gitlab.com/caosdb/caosdb/-/blob/dev/REVIEW_GUIDELINES.md).
+
+
+/assign me
diff --git a/CHANGELOG.md b/CHANGELOG.md
index f66c4ca07a1a300bc6d180954bb6fa82fca3c8f4..78cb02fb40b0313ab7e3274a38880dddcbccc14c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,7 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
-* `Entity/names` resource for retrieving all known entity names.
+- `Entity/names` resource for retrieving all known entity names.
 - Scripting is simplified by adding a `home` directory, of which a copy is
   created for each called script and set as the `HOME` environment variable.
 - [bend_symlinks.sh](misc/bend_symlinks/bend_symlinks.sh) (version 0.1, experimental)
@@ -36,26 +36,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
-* #27 - star matches slashes (e.g. for `FIND ... STORED AT /*.dat`).
-
-* #30 - file path cannot be in quotes
-
+- #27 - star matches slashes (e.g. for `FIND ... STORED AT /*.dat`).
+- #30 - file path cannot be in quotes
 - #46 - Server-side scripting failed as an unprivileged user because the was no
   writable home directory.
-
 - NaN Double Values (see #41)
-
 - #14 - Handle files on file system without File entity: Those entries are
   returned without ID but with a notice now.
-
-* #11 - pam_authentication leaks the password to unprivileged processes on the
+- #11 - pam_authentication leaks the password to unprivileged processes on the
   same machine.
 
 ### Security (in case of vulnerabilities)
 
 - TLS is by default restricted to v1.2 and v1.3 now.
-* #11 - pam_authentication leaks the password to unprivileged processes on the
-  same machine.
+- #11 - `pam_authentication` and `ldap_authentication.sh` leaked the password to unprivileged
+  processes on the same machine.
+- #68 - Shadow sensitive information when logging for debugging purposes.
 
 
 ## [0.1.0] - 2018-10-09
diff --git a/misc/pam_authentication/ldap.conf b/misc/pam_authentication/ldap.conf
index aca5b0491bc937997f7e70efae09d92c55564e67..117d1074915e3cacd9a97b83b5a2e83e3c50d451 100644
--- a/misc/pam_authentication/ldap.conf
+++ b/misc/pam_authentication/ldap.conf
@@ -2,6 +2,6 @@
 
 
 # Set the ldap server here.  This is also used to generate a fully qualified
-# user name.
+# user name: <USER>@$LDAP_SERVER
 
 # LDAP_SERVER="example.com"
diff --git a/misc/pam_authentication/ldap_authentication.sh b/misc/pam_authentication/ldap_authentication.sh
index 1e3ee2e8da5cc4aed55c55359ae1086e6b7de129..f887bf99f47c827fd712d2189a5ca89ec2981e6c 100755
--- a/misc/pam_authentication/ldap_authentication.sh
+++ b/misc/pam_authentication/ldap_authentication.sh
@@ -21,10 +21,10 @@
 #
 # ** end header
 
-# Try to authenticate a user ($1) with a password ($2) via LDAP
+# Try to authenticate a user ($1) via LDAP, either via stdin or a password file ($2, if given).
 
-[[ "$#" == "2" ]] || {
-    echo "call this script with two arguments: user and password"
+[[ "$#" == "1" || "$#" == "2" ]] || {
+    echo "Call this script as: $0 <user> [<password file>]"
     exit 1
 }
 
@@ -33,11 +33,17 @@
 exe_dir=$(dirname $0)
 . "$exe_dir/"ldap.conf
 
+# If the second argument is empty or "-", take password from stdin, else use the argument as a file.
 testpw() {
     username="${1}@${LDAP_SERVER}"
-    pw="$2"
+    pwfile="$2"
+    pwargs=("-w" "$pwfile")
+    if [[ $pwfile == "-" ]] ; then
+        pwargs=("-W")
+    fi
 
-    if timeout 5s ldapwhoami -x -H "ldap://$LDAP_SERVER" -D "$username" -w "$pw"; then
+    export LDAPTLS_REQCERT=ALLOW
+    if timeout 5s ldapwhoami -x -H "ldaps://$LDAP_SERVER" -D "$username" "${pwargs[@]}"; then
         return 0
     else
         ret_code="$?"
@@ -48,7 +54,7 @@ testpw() {
         return "$ret_code"
     fi
 
-    ldapwhoami -x -H "ldap://$LDAP_SERVER" -D "$username" -w "$pw"
+    ldapwhoami -x -H "ldaps://$LDAP_SERVER" -D "$username" "${pwargs[@]}"
 
 }
 
diff --git a/src/main/java/caosdb/server/ServerProperties.java b/src/main/java/caosdb/server/ServerProperties.java
index 08ffc43488e2f49e6d44c34ab0e0927b8ee2a5db..f29edeb1832014db1933dd85744dd22611cee847 100644
--- a/src/main/java/caosdb/server/ServerProperties.java
+++ b/src/main/java/caosdb/server/ServerProperties.java
@@ -172,7 +172,10 @@ public class ServerProperties extends Properties {
       ArrayList<String> names = new ArrayList<>(serverProperties.stringPropertyNames());
       Collections.sort(names);
       for (String name : names) {
-        String val = name.contains("PASSW") ? "****" : serverProperties.getProperty(name);
+        String val =
+            (name.contains("PASSW") || name.contains("SECRET"))
+                ? "****"
+                : serverProperties.getProperty(name);
         logger.info(name + "=" + val);
       }
     }