For anyone wondering, if you want to remove a file or secret you've already committed, you can use BFG Repo-Cleaner to go through your commit history and completely remove any trace of it.
Just note that if it's a public repo, it may not help you, due to attackers scraping Github's API and mirrors like GHTorrent. From "Why Deleting Sensitive Information from Github Doesn't Save You":
Warning - in the HN comment that is linked, don't click the link, is a browser popup spam which is actually hard to close (url has been dropped and picked up by a spammer?)
Why would they if the tip does not have any passwords in it? It's not like a potential contributor will search the commit log to see if there were once passwords around. Besides, making such changes in public changesets is rude, to say the least.
What I mean is, lots of folks seem to be saying to ignore the presence of the file and just change the password where it's used.
Removing the file, or the password and adding a comment, as well as changing the password where it's used is much less likely to end up with a re-added password later.
Of course, removing the file, adding it to .gitignore and changing the password makes it even harder as a contributor would have to work to add the password back, which is even less likely to happen.
http://jordan-wright.com/blog/2014/12/30/why-deleting-sensit...
The top HN comment on the article details their experiences with getting hacked this way:
https://news.ycombinator.com/item?id=8818035