My problem: cygwin git doesn't seem to correctly prompt for credentials when using https:// URLs, so I used username and password in the URL. Unfortunately when I did a "get pull" it auto-commited a message with the full URL including password. I didn't notice this until after I had pushed the changes.
How do I edit old commit messages to eradicate the password in the URL?
My shared git repo is on my own server. I can do surgery on the repo if necessary.
Instructions on how to change my configuration (i.e. don't use Cygwin, don't use https) are unnecessary -- I'm trying to deal with what is already done.
Yes, I can and will burn the password but I'd still like to fix it.
The link to removing sensitive data on git-hub is useful. However, I found a tool that was very straight-foward to use: Eric Raymond reposurgeon.
This tool allowed me to easily import my repo, list the commits with the issue, edit them (I did so individually) and write out a git fast-import stream of my repo. I imported that stream into a new repo and rsync'd it into place.
The downside is that my old repo is completely dead -- I changed history. That would be true of using "git filter-branch" as well, according to the docs.