If the password contains a character that is printed in a escaped form in the log output, the masking does not work.

In my case, I use ant and its echoproperties task. The password p a # # w o r d will be echoed as p a \ # \ # w o r d and thus not masked.

It would be good to also catch some alternative escaped forms? A different solution could be, to give the opportunity to enter additional patterns that are not set as properties but masked if they appear in the log.