If a doofus posts a password, the doofus gets to run the password rotation runbook for that service, done. If the runbook is too long, a PR to automate it is a great alternative.

In one particularly unfortunate case I can recall, the same engineer, having been thoroughly tired out by the lengthy and stressful (production-critical) rotation procedure, then pasted the new password again when announcing the rotation's completion. But it never happened after that. :-)

Doofus is an HR person who posted a login to a yoga signup website. So, no, they're not rotating anything but that password.

Everybody gets to lose Slack memory so "it won't happen again."