These files typically end up on the open web for three reasons:

So, an index of / page showing password.txt means someone can see—and download—a plain text file named password.txt from that server.

This is the specific file name. password.txt is a common name for a plain-text file used by developers, system administrators, or even end-users to store login credentials, API keys, or other sensitive information.

When a web server is misconfigured to allow directory listing (CWE-548), it creates a critical Information Disclosure vulnerability.