This is the most common scenario: a developer adds credentials to source code during development (“just for testing”) and commits the file to version control. Git’s append-only data model means that a git rm does not actually remove anything—attackers can (and do) scan the full history of public repositories.
No, I don’t store password123 . But I do store hints. Things like: netflix: same as spotify but with ! at end . Or: work laptop PIN = anniversary reversed . It’s cryptic enough for a casual snoop, but for future me? Perfect. GitHub’s private repos are encrypted at rest, and I sleep fine. password txt github hot