init: use explicit_bzero() for clearing passwords

This is a nop in practice, because it cannot be proven that this
particular bzero() is not significant. Make it explicit anyways, rather
than relying on an implementation detail of how the password is
collected.

Discussed with: Andrew Gierth <andrew tao146 riddles org uk>