diff --git a/lib/commands/config.js b/lib/commands/config.js
index eb1d570c6ea25..6553a26620cb7 100644
--- a/lib/commands/config.js
+++ b/lib/commands/config.js
@@ -28,7 +28,17 @@ const keyValues = args => {
   return kv
 }
 
-const publicVar = k => !/^(\/\/[^:]+:)?_/.test(k)
+const publicVar = k => {
+  // _password
+  if (k.startsWith('_')) {
+    return false
+  }
+  // //localhost:8080/:_password
+  if (k.startsWith('//') && k.includes(':_')) {
+    return false
+  }
+  return true
+}
 
 const BaseCommand = require('../base-command.js')
 class Config extends BaseCommand {
@@ -147,7 +157,7 @@ class Config extends BaseCommand {
     const out = []
     for (const key of keys) {
       if (!publicVar(key)) {
-        throw `The ${key} option is protected, and cannot be retrieved in this way`
+        throw new Error(`The ${key} option is protected, and cannot be retrieved in this way`)
       }
 
       const pref = keys.length > 1 ? `${key}=` : ''
diff --git a/lib/utils/exit-handler.js b/lib/utils/exit-handler.js
index 32434662422ae..22c774101751b 100644
--- a/lib/utils/exit-handler.js
+++ b/lib/utils/exit-handler.js
@@ -116,6 +116,7 @@ const exitHandler = err => {
       exitCode = err.code
       noLogMessage = true
     } else if (typeof err === 'string') {
+      // XXX: we should stop throwing strings
       log.error('', err)
       noLogMessage = true
     } else if (!(err instanceof Error)) {
diff --git a/test/lib/commands/config.js b/test/lib/commands/config.js
index b37088c06b9cd..d78e0290a850b 100644
--- a/test/lib/commands/config.js
+++ b/test/lib/commands/config.js
@@ -333,7 +333,13 @@ t.test('config get private key', async t => {
 
   await t.rejects(
     sandbox.run('config', ['get', '_authToken']),
-    '_authToken is protected',
+    /_authToken option is protected/,
+    'rejects with protected string'
+  )
+
+  await t.rejects(
+    sandbox.run('config', ['get', '//localhost:8080/:_password']),
+    /_password option is protected/,
     'rejects with protected string'
   )
 })