diff --git a/.gitignore b/.gitignore
index 13d1490..42c1eac 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,8 @@
 # ---> Python
+
+# secret passwords and so
+/secrets.json
+
 # Byte-compiled / optimized / DLL files
 __pycache__/
 *.py[cod]
@@ -128,4 +132,3 @@ dmypy.json
 
 # Pyre type checker
 .pyre/
-
diff --git a/foerderbarometer/settings.py b/foerderbarometer/settings.py
index 5a49f08..4b06fe9 100644
--- a/foerderbarometer/settings.py
+++ b/foerderbarometer/settings.py
@@ -10,14 +10,29 @@ For the full list of settings and their values, see
 https://docs.djangoproject.com/en/3.1/ref/settings/
 """
 
+import json
+import os
 from pathlib import Path
 
+from django.core.exceptions import ImproperlyConfigured
+
 # mails in development go to stdout
 EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
 
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
 
+# get secrets
+with open(os.path.join(BASE_DIR, 'secrets.json')) as secrets_file:
+    secrets = json.load(secrets_file)
+
+def get_secret(setting, secrets=secrets):
+    """Get secret setting or fail with ImproperlyConfigured"""
+    try:
+        return secrets[setting]
+    except KeyError:
+        raise ImproperlyConfigured("Set the {} setting".format(setting))
+
 
 # Quick-start development settings - unsuitable for production
 # See https://docs.djangoproject.com/en/3.1/howto/deployment/checklist/
@@ -85,6 +100,7 @@ DATABASES = {
     'default': {
         'ENGINE': 'django.db.backends.sqlite3',
         'NAME': BASE_DIR / 'db.sqlite3',
+        'PASSWORD': get_secret('DATABASE_PASSWORD')
     }
 }