I don’t think that keeping passwords to keys inside build.gradle is a good practice, especially if the project is hosted on a third-party repository host. In my opinion, a better approach would be to put the password into environment variable and read it from the buildscript.