I personally have only kept passwords in separate files which aren't under version control. However, you should be able to use git filters to automatically mask passwords for you. Something like:
# In global or local git/config (extra backslashes needed for git)
[filter "hide-password"]
clean = /usr/bin/perl -pe 's/^password\\s*=\\s*\\K.*/PASSWORD/'
# In repo/.gitattributes
settings.conf filter=hide-password
# settings.conf
password=3zhGERnFhzaUVs
foo=bar
...
Now the repo will store "password=PASSWORD" regardless of what you set the password to locally.