diff --git a/core/lib/Drupal/Core/FileTransfer/FTP.php b/core/lib/Drupal/Core/FileTransfer/FTP.php
index 83cf66bed4837dfd3c7a341185832876f29a5cd7..a7adcab2f444d48ab8475c8aa5b9216177e94ff4 100644
--- a/core/lib/Drupal/Core/FileTransfer/FTP.php
+++ b/core/lib/Drupal/Core/FileTransfer/FTP.php
@@ -10,7 +10,7 @@ abstract class FTP extends FileTransfer {
   /**
    * {@inheritdoc}
    */
-  public function __construct($jail, $username, $password, $hostname, $port) {
+  public function __construct($jail, $username, #[\SensitiveParameter] $password, $hostname, $port) {
     $this->username = $username;
     $this->password = $password;
     $this->hostname = $hostname;
diff --git a/core/lib/Drupal/Core/FileTransfer/SSH.php b/core/lib/Drupal/Core/FileTransfer/SSH.php
index e6b883f32b014bf875eabb065b18cf8584ac2e9a..3fd71902131759fb12a4b62ce6c745388abd75ab 100644
--- a/core/lib/Drupal/Core/FileTransfer/SSH.php
+++ b/core/lib/Drupal/Core/FileTransfer/SSH.php
@@ -10,7 +10,7 @@ class SSH extends FileTransfer implements ChmodInterface {
   /**
    * {@inheritdoc}
    */
-  public function __construct($jail, $username, $password, $hostname = "localhost", $port = 22) {
+  public function __construct($jail, $username, #[\SensitiveParameter] $password, $hostname = "localhost", $port = 22) {
     $this->username = $username;
     $this->password = $password;
     $this->hostname = $hostname;
diff --git a/core/lib/Drupal/Core/Password/PasswordInterface.php b/core/lib/Drupal/Core/Password/PasswordInterface.php
index b38cc79f89e4707904c9851bcdba1e41087147a1..f9fcfa849e44245e40463a6edb8a3d6d7ec5e217 100644
--- a/core/lib/Drupal/Core/Password/PasswordInterface.php
+++ b/core/lib/Drupal/Core/Password/PasswordInterface.php
@@ -21,7 +21,7 @@ interface PasswordInterface {
    * @return string
    *   A string containing the hashed password, or FALSE on failure.
    */
-  public function hash($password);
+  public function hash(#[\SensitiveParameter] $password);
 
   /**
    * Check whether a plain text password matches a hashed password.
@@ -34,7 +34,7 @@ public function hash($password);
    * @return bool
    *   TRUE if the password is valid, FALSE if not.
    */
-  public function check($password, $hash);
+  public function check(#[\SensitiveParameter] $password, #[\SensitiveParameter] $hash);
 
   /**
    * Check whether a hashed password needs to be replaced with a new hash.
diff --git a/core/lib/Drupal/Core/Password/PhpassHashedPassword.php b/core/lib/Drupal/Core/Password/PhpassHashedPassword.php
index de702d3ff572c9232a9ad2c8bb7f5249a33b45d8..68426066e0457032bcbe9d2042a96ab3eb629b67 100644
--- a/core/lib/Drupal/Core/Password/PhpassHashedPassword.php
+++ b/core/lib/Drupal/Core/Password/PhpassHashedPassword.php
@@ -155,7 +155,7 @@ protected function enforceLog2Boundaries($count_log2) {
    *   A string containing the hashed password (and salt) or FALSE on failure.
    *   The return string will be truncated at HASH_LENGTH characters max.
    */
-  protected function crypt($algo, $password, $setting) {
+  protected function crypt($algo, #[\SensitiveParameter] $password, $setting) {
     // Prevent DoS attacks by refusing to hash large passwords.
     if (strlen($password) > PasswordInterface::PASSWORD_MAX_LENGTH) {
       return FALSE;
@@ -213,14 +213,14 @@ public function getCountLog2($setting) {
   /**
    * {@inheritdoc}
    */
-  public function hash($password) {
+  public function hash(#[\SensitiveParameter] $password) {
     return $this->crypt('sha512', $password, $this->generateSalt());
   }
 
   /**
    * {@inheritdoc}
    */
-  public function check($password, $hash) {
+  public function check(#[\SensitiveParameter] $password, #[\SensitiveParameter] $hash) {
     if (substr($hash, 0, 2) == 'U$') {
       // This may be an updated password from user_update_7000(). Such hashes
       // have 'U' added as the first character and need an extra md5() (see the
@@ -258,7 +258,7 @@ public function check($password, $hash) {
   /**
    * {@inheritdoc}
    */
-  public function needsRehash($hash) {
+  public function needsRehash(#[\SensitiveParameter] $hash) {
     // Check whether this was an updated password.
     if ((substr($hash, 0, 3) != '$S$') || (strlen($hash) != static::HASH_LENGTH)) {
       return TRUE;
diff --git a/core/lib/Drupal/Core/PrivateKey.php b/core/lib/Drupal/Core/PrivateKey.php
index 38d0d336dba36192e334db73cbdea55df76a8314..2ff9cf2ca87d373e382980fb9f13ba367b223587 100644
--- a/core/lib/Drupal/Core/PrivateKey.php
+++ b/core/lib/Drupal/Core/PrivateKey.php
@@ -48,7 +48,7 @@ public function get() {
    * @param string $key
    *   The private key to set.
    */
-  public function set($key) {
+  public function set(#[\SensitiveParameter] $key) {
     return $this->state->set('system.private_key', $key);
   }
 
diff --git a/core/lib/Drupal/Core/Session/SessionHandler.php b/core/lib/Drupal/Core/Session/SessionHandler.php
index 420864e6234584e9c76b8ae2b05ca91ecf8aa1cb..9917cdb079d1b9bda5f7d54fbc233c47ca2117ac 100644
--- a/core/lib/Drupal/Core/Session/SessionHandler.php
+++ b/core/lib/Drupal/Core/Session/SessionHandler.php
@@ -55,7 +55,7 @@ public function open($save_path, $name) {
    * {@inheritdoc}
    */
   #[\ReturnTypeWillChange]
-  public function read($sid) {
+  public function read(#[\SensitiveParameter] $sid) {
     $data = '';
     if (!empty($sid)) {
       // Read the session data from the database.
@@ -70,7 +70,7 @@ public function read($sid) {
    * {@inheritdoc}
    */
   #[\ReturnTypeWillChange]
-  public function write($sid, $value) {
+  public function write(#[\SensitiveParameter] $sid, $value) {
     // The exception handler is not active at this point, so we need to do it
     // manually.
     try {
@@ -111,7 +111,7 @@ public function close() {
    * {@inheritdoc}
    */
   #[\ReturnTypeWillChange]
-  public function destroy($sid) {
+  public function destroy(#[\SensitiveParameter] $sid) {
     // Delete session data.
     $this->connection->delete('sessions')
       ->condition('sid', Crypt::hashBase64($sid))
diff --git a/core/modules/user/src/Entity/User.php b/core/modules/user/src/Entity/User.php
index 145a80dc40285ef1a86b54901542a986c4ca8b38..1ea54bf04a8116e24ce72b2c495701bcb08ce8d7 100644
--- a/core/modules/user/src/Entity/User.php
+++ b/core/modules/user/src/Entity/User.php
@@ -230,7 +230,7 @@ public function getPassword() {
   /**
    * {@inheritdoc}
    */
-  public function setPassword($password) {
+  public function setPassword(#[\SensitiveParameter] $password) {
     $this->get('pass')->value = $password;
     return $this;
   }
@@ -400,7 +400,7 @@ public function setUsername($username) {
   /**
    * {@inheritdoc}
    */
-  public function setExistingPassword($password) {
+  public function setExistingPassword(#[\SensitiveParameter] $password) {
     $this->get('pass')->existing = $password;
     return $this;
   }
diff --git a/core/modules/user/src/UserAuth.php b/core/modules/user/src/UserAuth.php
index e0df09714ee0ac0f0153ada4a910762b6884c8fa..03ad41af3c03b2b2ea1dae8ff37a92a3135c6844 100644
--- a/core/modules/user/src/UserAuth.php
+++ b/core/modules/user/src/UserAuth.php
@@ -40,7 +40,7 @@ public function __construct(EntityTypeManagerInterface $entity_type_manager, Pas
   /**
    * {@inheritdoc}
    */
-  public function authenticate($username, $password) {
+  public function authenticate($username, #[\SensitiveParameter] $password) {
     $uid = FALSE;
 
     if (!empty($username) && strlen($password) > 0) {
diff --git a/core/modules/user/src/UserAuthInterface.php b/core/modules/user/src/UserAuthInterface.php
index 91f2cc342c69b4354f41cf4db8adedb4e1fe11bb..7c3bfcfad413c7eeb39e05097a2b660105c28256 100644
--- a/core/modules/user/src/UserAuthInterface.php
+++ b/core/modules/user/src/UserAuthInterface.php
@@ -18,6 +18,6 @@ interface UserAuthInterface {
    * @return int|bool
    *   The user's uid on success, or FALSE on failure to authenticate.
    */
-  public function authenticate($username, $password);
+  public function authenticate($username, #[\SensitiveParameter] $password);
 
 }
diff --git a/core/modules/user/src/UserInterface.php b/core/modules/user/src/UserInterface.php
index 5e571a58fd45da2103d69b07aebf4bbf5dd087de..bbbacff52311a9e8770ab354b5161333e59c59cf 100644
--- a/core/modules/user/src/UserInterface.php
+++ b/core/modules/user/src/UserInterface.php
@@ -112,7 +112,7 @@ public function getPassword();
    * @return $this
    *   The called user entity.
    */
-  public function setPassword($password);
+  public function setPassword(#[\SensitiveParameter] $password);
 
   /**
    * Sets the email address of the user.
@@ -213,7 +213,7 @@ public function getInitialEmail();
    *
    * @return $this
    */
-  public function setExistingPassword($password);
+  public function setExistingPassword(#[\SensitiveParameter] $password);
 
   /**
    * Checks the existing password if set.
diff --git a/core/profiles/demo_umami/demo_umami.profile b/core/profiles/demo_umami/demo_umami.profile
index 8fd785736335b03334446aabd1a8e8d3d84a075d..e1f880595f931921cd13015e7b584f2ecfc48666 100644
--- a/core/profiles/demo_umami/demo_umami.profile
+++ b/core/profiles/demo_umami/demo_umami.profile
@@ -32,7 +32,7 @@ function demo_umami_form_install_configure_submit($form, FormStateInterface $for
 /**
  * Sets the password of admin to be the password for all users.
  */
-function demo_umami_set_users_passwords($admin_password) {
+function demo_umami_set_users_passwords(#[\SensitiveParameter] $admin_password) {
   // Collect the IDs of all users with roles editor or author.
   $ids = \Drupal::entityQuery('user')
     ->accessCheck(FALSE)