diff --git a/docs/apache-airflow/security/secrets/mask-sensitive-values.rst b/docs/apache-airflow/security/secrets/mask-sensitive-values.rst
index 1c3974a3ff856..a66900f3dcdad 100644
--- a/docs/apache-airflow/security/secrets/mask-sensitive-values.rst
+++ b/docs/apache-airflow/security/secrets/mask-sensitive-values.rst
@@ -39,9 +39,9 @@ When masking is enabled, Airflow will always mask the password field of every Co
 task.
 
 It will also mask the value of a Variable, rendered template dictionaries, XCom dictionaries or the
-field of a Connection's extra JSON blob if the name contains
-any words in ('access_token', 'api_key', 'apikey', 'authorization', 'passphrase', 'passwd',
-'password', 'private_key', 'secret', 'token'). This list can also be extended:
+field of a Connection's extra JSON blob if the name is in the list of known-sensitive fields (i.e. 'access_token',
+'api_key', 'apikey', 'authorization', 'passphrase', 'passwd', 'password', 'private_key', 'secret' or 'token').
+This list can also be extended:
 
 .. code-block:: ini