diff --git a/lib/ansible/modules/extras/network/asa/asa_config.py b/lib/ansible/modules/extras/network/asa/asa_config.py
index e90f5fbfaae..320255b46f0 100644
--- a/lib/ansible/modules/extras/network/asa/asa_config.py
+++ b/lib/ansible/modules/extras/network/asa/asa_config.py
@@ -137,7 +137,7 @@ options:
         will not download the running-config from the remote node.
     required: false
     default: null
-  default:
+  defaults:
     description:
       - This argument specifies whether or not to collect all defaults
         when getting the remote device running config.  When enabled,
@@ -146,6 +146,15 @@ options:
     required: false
     default: no
     choices: ['yes', 'no']
+  passwords:
+    description:
+      - This argument specifies to include passwords in the config
+        when retrieving the running-config from the remote device.  This
+        includes passwords related to VPN endpoints.  This argument is
+        mutually exclusive with I(defaults).
+    required: false
+    default: no
+    choices: ['yes', 'no']
   save:
     description:
       - The C(save) argument instructs the module to save the running-
@@ -190,10 +199,10 @@ vars:
     context: ansible
 
 - asa_config:
-    show_command: 'more system:running-config'
     lines:
       - ikev1 pre-shared-key MyS3cretVPNK3y
     parents: tunnel-group 1.1.1.1 ipsec-attributes
+    passwords: yes
     provider: "{{ cli }}"
 
 """
@@ -226,8 +235,13 @@ from ansible.module_utils.netcfg import NetworkConfig, dumps
 def get_config(module):
     contents = module.params['config']
     if not contents:
-        defaults = module.params['default']
-        contents = module.config.get_config(include_defaults=defaults)
+        if module.params['defaults']:
+            include = 'defaults'
+        elif module.params['passwords']:
+            include = 'passwords'
+        else:
+            include = None
+        contents = module.config.get_config(include=include)
     return NetworkConfig(indent=1, contents=contents)
 
 def get_candidate(module):
@@ -292,13 +306,14 @@ def main():
         replace=dict(default='line', choices=['line', 'block']),
 
         config=dict(),
-        default=dict(type='bool', default=False),
+        defaults=dict(type='bool', default=False),
+        passwords=dict(type='bool', default=False),
 
         backup=dict(type='bool', default=False),
         save=dict(type='bool', default=False),
     )
 
-    mutually_exclusive = [('lines', 'src')]
+    mutually_exclusive = [('lines', 'src'), ('defaults', 'passwords')]
 
     required_if = [('match', 'strict', ['lines']),
                    ('match', 'exact', ['lines']),