A very simple way to make sure that passwords are not pushed in your VCS is to exclude any file matching myproject/security*. It would also be a good idea to reduce the access to such files by removing read rights for users other than the one running django.
Files that should not be pushed to your VCS are: