I understand completely how this is insecure, but throughout testing, I one-off my communication channel names, and flick out passphrases for them, then when I go to prod for real, I write code that will write to EEPROM, save the prod connection info, then go from there.
So the creds aren't really creds, but only for testing etc? Well, then I'd just use the last commit id as channel name and its commit message as passphrase or vice versa. That way you only have to keep track of real credentials used for production tags.
perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'