Finding a password.txt file via these queries usually points to one of three scenarios:
If you actually find a live result for index of password txt exclusive, you are handling live, unprotected credentials. The risks are severe on both sides of the transaction. index of password txt exclusive
Add rules to block access to *.txt, *.conf, *.log, *.sql, and *.bak files. Example for Apache: Finding a password
<FilesMatch "\.(txt|conf|log|sql|bak)$">
Require all denied
</FilesMatch>