In a git repository.
The variable was named PASSWORD.
We all know this is wrong.
But we keep doing it.
The Problem:
We store credentials in code. Across the industry. In repositories. In config files. In variables literally named PASSWORD. And we keep pushing to main, even though we all know it’s wrong.
Why We Fall Into This:
Because “that’s how it’s done here”. Because it’s faster. Because proper secrets management feels like overhead when the deadline is in two days. Because “it’s a private repo anyway”. Because a colleague who fought against this practice six months ago just put cn=admin with a password in a config - and gave up.
It’s not laziness. It’s exhaustion from fighting a culture where “good enough” wins.
What I Do About It:
I enabled automatic scanning on every push. Yes, occasional false positives on hashes. Yes, it’s annoying. But it works.
I move credentials to CI/CD secrets, to vaults, to environment variables. Every time. Even when it feels like “it’s just for testing”.
What Helps:
Automation + consequences. A tool that blocks commits with secrets. Some organizations go further: automatic notifications to InfoSec and management on every trigger. Then it’s up to company policy - sometimes just a conversation, sometimes it affects bonuses. When there are real consequences, culture changes faster.
Honest conversation helps too: “I know this takes longer. But when it leaks - it’ll take even longer and cost more”.
So:
You don’t have to keep lying to yourself that “private repo means secure”. That “we’ll refactor later”. That “we won’t get hacked”.
A colleague learned the LDAP admin password by accident today. Tomorrow - someone else will learn it on purpose.