Although Canary is designed to not hold sensitive data, it's possible for someone (even an attacker) to attempt to login to your Canary with legitimate credentials.
Of course, once credentials have been "given away" they should be rolled as a matter of good practice, but what if you have your alerts piped to slack, email, pagerduty, et al. Did those real credentials now end up in all those channels?
Data Masking is the answer!
With Data Masking turned on,
sensitive credentials will go from
where the password (or any sensitive data) is in plain text, to
You should definitely still roll those credentials, but this way it feels a little less icky.