diff --git a/programs/benchmark/Benchmark.cpp b/programs/benchmark/Benchmark.cpp
index e17320b39ea..bb814f474e3 100644
--- a/programs/benchmark/Benchmark.cpp
+++ b/programs/benchmark/Benchmark.cpp
@@ -18,6 +18,7 @@
 #include <Common/ConcurrentBoundedQueue.h>
 #include <Common/Exception.h>
 #include <Common/randomSeed.h>
+#include <Common/clearPasswordFromCommandLine.h>
 #include <Core/Types.h>
 #include <IO/ReadBufferFromFileDescriptor.h>
 #include <IO/WriteBufferFromFileDescriptor.h>
@@ -539,7 +540,7 @@ int mainEntryClickHouseBenchmark(int argc, char ** argv)
             ("password",      value<std::string>()->default_value(""),          "")
             ("database",      value<std::string>()->default_value("default"),   "")
             ("stacktrace",                                                      "print stack traces of exceptions")
-            ("confidence",    value<size_t>()->default_value(5),                "set the level of confidence for T-test [0=80%, 1=90%, 2=95%, 3=98%, 4=99%, 5=99.5%(default)")
+            ("confidence",    value<size_t>()->default_value(5), "set the level of confidence for T-test [0=80%, 1=90%, 2=95%, 3=98%, 4=99%, 5=99.5%(default)")
             ("query_id",      value<std::string>()->default_value(""),         "")
         ;
 
@@ -550,6 +551,8 @@ int mainEntryClickHouseBenchmark(int argc, char ** argv)
         boost::program_options::store(boost::program_options::parse_command_line(argc, argv, desc), options);
         boost::program_options::notify(options);
 
+        clearPasswordFromCommandLine(argc, argv);
+
         if (options.count("help"))
         {
             std::cout << "Usage: " << argv[0] << " [options] < queries.txt\n";
diff --git a/programs/client/Client.cpp b/programs/client/Client.cpp
index 7808120d09e..63467c1129d 100644
--- a/programs/client/Client.cpp
+++ b/programs/client/Client.cpp
@@ -38,6 +38,7 @@
 #include <Common/Throttler.h>
 #include <Common/StringUtils/StringUtils.h>
 #include <Common/typeid_cast.h>
+#include <Common/clearPasswordFromCommandLine.h>
 #include <Common/Config/ConfigProcessor.h>
 #include <Core/Types.h>
 #include <Core/QueryProcessingStage.h>
@@ -2006,6 +2007,7 @@ public:
 
         argsToConfig(common_arguments, config(), 100);
 
+        clearPasswordFromCommandLine(argc, argv);
     }
 };
 
diff --git a/src/Common/clearPasswordFromCommandLine.cpp b/src/Common/clearPasswordFromCommandLine.cpp
new file mode 100644
index 00000000000..0ff56e25c3f
--- /dev/null
+++ b/src/Common/clearPasswordFromCommandLine.cpp
@@ -0,0 +1,18 @@
+#include <string.h>
+#include "clearPasswordFromCommandLine.h"
+
+void clearPasswordFromCommandLine(int argc, char ** argv)
+{
+    for (int arg = 1; arg < argc; ++arg)
+    {
+        if (arg + 1 < argc && 0 == strcmp(argv[arg], "--password"))
+        {
+            ++arg;
+            memset(argv[arg], 0, strlen(argv[arg]));
+        }
+        else if (0 == strncmp(argv[arg], "--password=", strlen("--password=")))
+        {
+            memset(argv[arg] + strlen("--password="), 0, strlen(argv[arg]) - strlen("--password="));
+        }
+    }
+}
diff --git a/src/Common/clearPasswordFromCommandLine.h b/src/Common/clearPasswordFromCommandLine.h
new file mode 100644
index 00000000000..cf90fea1dc8
--- /dev/null
+++ b/src/Common/clearPasswordFromCommandLine.h
@@ -0,0 +1,6 @@
+#pragma once
+
+/** If there are --password=... or --password ... arguments in command line, replace their values with zero bytes.
+  * This is needed to prevent password exposure in 'ps' and similar tools.
+  */
+void clearPasswordFromCommandLine(int argc, char ** argv);
diff --git a/src/Common/ya.make b/src/Common/ya.make
index 83a419212bd..327089ff31d 100644
--- a/src/Common/ya.make
+++ b/src/Common/ya.make
@@ -30,6 +30,7 @@ SRCS(
     Config/configReadClient.cpp
     Config/ConfigReloader.cpp
     createHardLink.cpp
+    clearPasswordFromCommandLine.cpp
     CurrentMetrics.cpp
     CurrentThread.cpp
     DNSResolver.cpp
diff --git a/tests/queries/0_stateless/01317_no_password_in_command_line.reference b/tests/queries/0_stateless/01317_no_password_in_command_line.reference
new file mode 100644
index 00000000000..aa47d0d46d4
--- /dev/null
+++ b/tests/queries/0_stateless/01317_no_password_in_command_line.reference
@@ -0,0 +1,2 @@
+0
+0
diff --git a/tests/queries/0_stateless/01317_no_password_in_command_line.sh b/tests/queries/0_stateless/01317_no_password_in_command_line.sh
new file mode 100755
index 00000000000..1a3ae88616a
--- /dev/null
+++ b/tests/queries/0_stateless/01317_no_password_in_command_line.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+CURDIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
+. $CURDIR/../shell_config.sh
+
+set -e
+
+$CLICKHOUSE_CLIENT --query "DROP USER IF EXISTS user"
+$CLICKHOUSE_CLIENT --query "CREATE USER user IDENTIFIED WITH PLAINTEXT_PASSWORD BY 'hello'"
+
+# False positive result due to race condition with sleeps is Ok.
+
+$CLICKHOUSE_CLIENT --user user --password hello --query "SELECT sleep(1)" &
+sleep 0.1
+ps auxw | grep -F -- '--password' | grep -F hello ||:
+wait
+
+$CLICKHOUSE_CLIENT --user user --password=hello --query "SELECT sleep(1)" &
+sleep 0.1
+ps auxw | grep -F -- '--password' | grep -F hello ||:
+wait
+
+$CLICKHOUSE_CLIENT --query "DROP USER user"