diff --git a/lib/modules/manager/git-submodules/extract.spec.ts b/lib/modules/manager/git-submodules/extract.spec.ts
index 42f4a289a27683aab30b7b833a4de84d231a4fc3..5eccd1d1a7b5428beae4194ebcdc17b88a427933 100644
--- a/lib/modules/manager/git-submodules/extract.spec.ts
+++ b/lib/modules/manager/git-submodules/extract.spec.ts
@@ -247,7 +247,7 @@ describe('modules/manager/git-submodules/extract', () => {
             currentValue: 'main',
             depName: 'some-azure',
             packageName:
-              'https://organization@dev.azure.com/organization/whitespace%20project/_git/repo',
+              'https://dev.azure.com/organization/whitespace%20project/_git/repo',
           },
         ],
       });
diff --git a/lib/util/git/url.spec.ts b/lib/util/git/url.spec.ts
index 194e653775f91a0c7082d49b2bbd17c99f115d20..eda3e6bf423c54a1374c62750deaa55b92641621 100644
--- a/lib/util/git/url.spec.ts
+++ b/lib/util/git/url.spec.ts
@@ -78,6 +78,21 @@ describe('util/git/url', () => {
         'https://x-access-token:token@github.com/some/repo'
       );
     });
+
+    it('removes username/password from URL', () => {
+      expect(getHttpUrl('https://user:password@foo.bar/someOrg/someRepo')).toBe(
+        'https://foo.bar/someOrg/someRepo'
+      );
+    });
+
+    it('replaces username/password with given token', () => {
+      expect(
+        getHttpUrl(
+          'https://user:password@foo.bar/someOrg/someRepo',
+          'another-user:a-secret-pwd'
+        )
+      ).toBe('https://another-user:a-secret-pwd@foo.bar/someOrg/someRepo');
+    });
   });
 
   describe('getRemoteUrlWithToken()', () => {
diff --git a/lib/util/git/url.ts b/lib/util/git/url.ts
index 4dd08563f140317b65d3ba526ddfe5d7774d9b18..0b573a7dac1d086f546c06cf333e2c7613fa1898 100644
--- a/lib/util/git/url.ts
+++ b/lib/util/git/url.ts
@@ -15,6 +15,7 @@ export function getHttpUrl(url: string, token?: string): string {
     ? parsedUrl.protocol
     : 'https';
 
+  parsedUrl.user = '';
   parsedUrl.token = token ?? '';
 
   if (token) {