- Published on
Removing Accidental Passwords from Git History
- Authors
- Name
- Yair Mark
- @yairmark
There comes a time in every developer's career where they by mistake commit and push sensitive information like a password to Git.
Simply removing the password in a later commit is not sufficient as anyone can go and look at a previous version of your repo to see the password again.
Luckily this can be solved quite easily using a tool called BFG
To get started firstly download the latest jar from here
Then create a password.txt
file. In it put each password you want to wipe on each line. For example say I want to remove super$uperSecurePassword1
and superSuperSecurePass2
, our file would then look as follows:
super$uperSecurePassword1
superSuperSecurePass2
Then copy the jar and password.txt file to the affected repo and run the following (Jar name will change depending on your version of BFG):
java -jar bfg-1.13.2.jar --replace-text password.txt
# remove the jar just to ensure we do not commit it
rm bfg-1.13.2.jar
# remove the password.txt to make sure we do not commit it
rm password.txt
git reflog expire --expire=now --all && git gc --prune=now --aggressive
git push --force
If you look back in your version history you should now see the specified passwords as ***REMOVED***
. You can change what the password is replaced with by adding a space between the password and having the replacement word for each line in the password.txt
file.