I just want to note that force-pushing to erase secrets is Bad Practice.

For one thing, it doesn't even erase the secret, because the pushed-over commit is still in the reflog and will likely be there for some time without more dramatic measures.

Even if you knew you for sure you had removed that commit ID from the upstream repo, you have no idea if an attacker isn't constantly pulling the most recent commits and got your password in that brief moment while the commit existed.

Once you have pushed a password or other secret to a public place, it is burnt. It needs to be changed instantly. You shouldn't even waste the two seconds it would take to force push over it, because it would delay you from changing it.

I would add that I'm a senior developer and I use force push a dozen times or more a day.

I do all my work on private branches and then make heavy use of rebase and other tools so that the final commit stream is as perfect as I can make it.

This is great, because I commit every time all my tests pass. There are plenty of days when I make over a hundred commits, because I'm working on something tricky that I've broken before, where I make small incremental changes, run the tests, and commit.

No else one sees these hundred commits, because I boil them down to a tiny number of elegant changes, but it's great for me, and particularly good if I found I've broken something at the end, as I can use git bisect and identify often just a single line of code I changed.