I think the issue is that it's highly environment-specific and there's no single best practice aside from general principles like "don't store passwords in your repo".
I'm not sure that I'd even go so far as to say no passwords in the repo. In some environments, the developer is the only one with access to DB and the app code, and there is no growth planned (no separation of responsibilities), in which case it is acceptable even if not optimal to have them in database.yml.
Yes, but the developers who know how to then remove such hard coded variables and then where to store them will, out of habit, go the extra step, even if out of paranoia, because such a step is likely forgotten when the repo suddenly needs to be opened up
The more common case I've come across is that devs who leave their passwords hard coded do so because they are inexperienced and know of no other way. I wish the best practice were the default in this situation
