diff --git a/gocryptfs-xray/xray_main.go b/gocryptfs-xray/xray_main.go
index 85470ec..522878a 100644
--- a/gocryptfs-xray/xray_main.go
+++ b/gocryptfs-xray/xray_main.go
@@ -67,6 +67,9 @@ func dumpMasterKey(fn string) {
 		exitcodes.Exit(err)
 	}
 	fmt.Println(hex.EncodeToString(masterkey))
+	for i := range pw {
+		pw[i] = 0
+	}
 }
 
 func inspectCiphertext(fd *os.File) {
diff --git a/init_dir.go b/init_dir.go
index b13f741..ea902ec 100644
--- a/init_dir.go
+++ b/init_dir.go
@@ -45,8 +45,9 @@ func initDir(args *argContainer) {
 			tlog.Fatal.Println(err)
 			os.Exit(exitcodes.WriteConf)
 		}
-		// Note: cannot overwrite password because in Go, strings are
-		// read-only byte slices.
+		for i := range password {
+			password[i] = 0
+		}
 		// password runs out of scope here
 	}
 	// Forward mode with filename encryption enabled needs a gocryptfs.diriv
diff --git a/main.go b/main.go
index ed5784f..ddb4f4e 100644
--- a/main.go
+++ b/main.go
@@ -49,6 +49,9 @@ func loadConfig(args *argContainer) (masterkey []byte, confFile *configfile.Conf
 		pw := readpassword.Once(args.extpass)
 		tlog.Info.Println("Decrypting master key")
 		masterkey, confFile, err = configfile.LoadConfFile(args.config, pw)
+		for i := range pw {
+			pw[i] = 0
+		}
 	}
 	if err != nil {
 		tlog.Fatal.Println(err)
@@ -64,9 +67,15 @@ func changePassword(args *argContainer) {
 		exitcodes.Exit(err)
 	}
 	tlog.Info.Println("Please enter your new password.")
-	newPw := readpassword.Twice(args.extpass)
-	readpassword.CheckTrailingGarbage()
-	confFile.EncryptKey(masterkey, newPw, confFile.ScryptObject.LogN())
+	{
+		newPw := readpassword.Twice(args.extpass)
+		readpassword.CheckTrailingGarbage()
+		confFile.EncryptKey(masterkey, newPw, confFile.ScryptObject.LogN())
+		for i := range newPw {
+			newPw[i] = 0
+		}
+		// newPw runs out of scope here
+	}
 	// Are we resetting the password without knowing the old one using
 	// "-masterkey"?
 	if args.masterkey != "" {