Tokens should not be stored in repository remotes, at least by default

[afeblot]

When cloning using --http --token <MyToken>, all git repository remotes include the token:

https://token:<MyToken>@gitlab.mycompany.com/path/to/repo.git 

I think, at least by default, remotes should be created without the auth part (and we rely on git credential.helper=store to hold the token), and writing the token in each and every repo remotes should be an explicit request from the user.