It would be neat if the Mongoid logger would filter passwords etc. from its output. Although many may not have logging enabled in production, we find it very useful and still do. However, passwords may then be shown in plain-text in those logs, unless other precautions are taken.

This snippet could be helpful:

filters = Rails.application.config.filter_parameters
f = ActionDispatch::Http::ParameterFilter.new filters
f.filter :password => 'haha' # => {:password=>"[FILTERED]"}