For those who have accidentally committed passwords, api keys, etc to a guy repo, we have a great tool available to take care of it, BFG. BFG will remove those secrets from the entire git repository’s history, not just the most recent commit.
bfg --replace-text passwords.txt
git reflog expire --expire=now --all && git gc --prune=now --aggressive
Passwords.txt is just a line delimited list of passwords. Just don’t commit this to your repo