Best practice for docker compose passwords?

For example I have a docker compose stack with a service and a db.
\ How do you handle the passwords? Is it better to store them in a .env file or is there something different entirely?

Also do the passwords have to be strong if the db is only available to the service through the docker network?