Disable `show_password_hint` by default

A setting that provides unauthenticated access to potentially sensitive data
shouldn't be enabled by default.

.env.template

@@ -210,8 +210,10 @@
 ## The change only applies when the password is changed
 # PASSWORD_ITERATIONS=100000
 
-## Whether password hint should be sent into the error response when the client request it
+## Controls whether a password hint should be shown directly in the web page if
-# SHOW_PASSWORD_HINT=true
+## SMTP service is not configured. Not recommended for publicly-accessible instances
+## as this provides unauthenticated access to potentially sensitive data.
+# SHOW_PASSWORD_HINT=false
 
 ## Domain settings
 ## The domain must match the address from where you access the server

src/config.rs

@@ -388,9 +388,10 @@ make_config! {
         /// Password iterations |> Number of server-side passwords hashing iterations.
         /// The changes only apply when a user changes their password. Not recommended to lower the value
         password_iterations:    i32,    true,   def,    100_000;
-        /// Show password hints |> Controls if the password hint should be shown directly in the web page.
+        /// Show password hint |> Controls whether a password hint should be shown directly in the web page
-        /// Otherwise, if email is disabled, there is no way to see the password hint
+        /// if SMTP service is not configured. Not recommended for publicly-accessible instances as this
-        show_password_hint:     bool,   true,   def,    true;
+        /// provides unauthenticated access to potentially sensitive data.
+        show_password_hint:     bool,   true,   def,    false;
 
         /// Admin page token |> The token used to authenticate in this very same page. Changing it here won't deauthorize the current session
         admin_token:            Pass,   true,   option;