name: Scan for secrets on: [push, pull_request] jobs: secret-scan: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Run gitleaks uses: gitleaks/gitleaks-action@v2 env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} Finally, train your team. Run quarterly "secrets awareness" workshops. Reward developers who discover and report exposed credentials. Make it safe to admit mistakes—if a developer fears punishment for pushing a password.txt , they may try to cover it up instead of reporting it immediately. Conclusion: The password.txt Epidemic Is Preventable Searching for password.txt github is both a terrifying and educational exercise. It reveals thousands of organizations—from solo developers to Fortune 500 companies—who have accidentally opened their digital front doors to the world. The presence of such files is not a sign of malicious intent, but of human error, rushed deadlines, and insufficient automation.
Example GitHub Actions workflow:
This article explores the phenomenon of password.txt on GitHub. We will look at why it happens, how attackers find these files within minutes, the real-world consequences of these leaks, and—most importantly—how to clean up the mess and automate secret detection before it’s too late. At first glance, the presence of a file explicitly named password.txt on a public platform seems absurd. Yet, thousands of developers have committed this exact sin. Why? 1. Local Testing and Prototyping A developer working on a new web app needs to test database connections. Instead of setting up environment variables (which takes 30 seconds), they type mysql -u root -pSuperSecret123 into a terminal. To avoid re-typing it, they save credentials in password.txt in the project root. The plan is always: “I’ll remove this before the first commit.” 2. Onboarding Shortcuts Junior developers are often handed a “getting started” document that includes a password.txt file attached to an email or Slack message. To save time, they drop the file directly into the cloned repository. When they run git add . , the file comes along for the ride. 3. The .gitignore Failure The most common tragedy is forgetting to add password.txt to the .gitignore file. A developer creates the file, tests their code, and then commits everything in the folder with git add . && git commit -m "initial commit" . By the time they push to GitHub, the secret is broadcast to the world. 4. Copy-Paste from Tutorials Ironically, some tutorials demonstrate bad practices by using password.txt as a placeholder. A novice following along doesn’t realize the placeholder is dangerous—they replace YOUR_PASSWORD_HERE with their actual production password and commit the tutorial code as-is. The Anatomy of a password.txt File (What Attackers Find) To understand the risk, let's look at what a typical leaked password.txt contains. Based on real-world GitHub searches (filtering out false positives like book summaries or game cheats), here are common contents: password.txt github
# Database credentials DB_HOST = "prod-db.internal.com" DB_USER = "admin" DB_PASSWORD = "Company2024!" AWS_ACCESS_KEY_ID = "AKIAIOSFODNN7EXAMPLE" AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" API tokens for Stripe, Twilio, etc. STRIPE_SECRET = "sk_live_4eC39HqLyjWDarjtT1zdp7dc" SSH private key (yes, people paste entire keys) -----BEGIN RSA PRIVATE KEY----- MIIEpAIBAAKCAQEA... name: Scan for secrets on: [push, pull_request] jobs: