I personally have only kept passwords in separate files which aren't under version control. However, you should be able to use git filters to automatically mask passwords for you. Something like:
# In global or local git/config (extra backslashes needed for git)
clean = /usr/bin/perl -pe 's/^password\\s*=\\s*\\K.*/PASSWORD/'
# In repo/.gitattributes
Now the repo will store "password=PASSWORD" regardless of what you set the password to locally.