Putting authentication information in a separate file is the way to go. My client's authentication information is stored in modules that are stored in a location separate from all of the code, which means it's easy to check all of the non-authentication code into github (in private repositories), safe in the knowledge that there's no confidential information stored off-site.