- Published on
Removing Accidental Passwords from Git History
- Yair Mark
There comes a time in every developer's career where they by mistake commit and push sensitive information like a password to Git.
Simply removing the password in a later commit is not sufficient as anyone can go and look at a previous version of your repo to see the password again.
Luckily this can be solved quite easily using a tool called BFG
To get started firstly download the latest jar from here
Then create a
password.txt file. In it put each password you want to wipe on each line. For example say I want to remove
superSuperSecurePass2, our file would then look as follows:
Then copy the jar and password.txt file to the affected repo and run the following (Jar name will change depending on your version of BFG):
java -jar bfg-1.13.2.jar --replace-text password.txt # remove the jar just to ensure we do not commit it rm bfg-1.13.2.jar # remove the password.txt to make sure we do not commit it rm password.txt git reflog expire --expire=now --all && git gc --prune=now --aggressive git push --force
If you look back in your version history you should now see the specified passwords as
***REMOVED***. You can change what the password is replaced with by adding a space between the password and having the replacement word for each line in the