I looked a little into this.
I think nobody does “show password hint” anymore… So I think this should be completely disabled, or maybe configurable in security.properties. The related java seems to be applications/securityext/src/org/ofbiz/securityext/login/LoginEvents.java and I don’t see anything in the code that references security.properties to control what users are exempt or any controls at all for “forget password”. So I think this is an area that could be improved.
Yes, the default email for admin is email@example.com, and by default, email notifications are disabled, so changing the password to admin without any of these being set is trouble, or annoying.
Also: There is a real domain called “example.com”
$ host example.com
example.com has address 126.96.36.199
example.com has IPv6 address 2606:2800:220:1:248:1893:25c8:1946
Just for the heck of it I checked if it has an MX record…
$ host -t mx example.com
example.com has no MX record
It does not. I also checked if port 25 is open… It is not.
$ telnet 188.8.131.52 25
However, if port 25 WAS open, and there was a user called “ofbiztest”, the “admin” account password would have been emailed to them.
I think you see where this is going…