Re: SMS
Bigger question.
Why is the admin password not hashed, so that it doesn't even know what the password is and hence can't "send" it to anyone anyway? It shouldn't be storing the damn thing in plaintext.
And it certainly shouldn't be capable of emailing out the hash, even. Literally, that's why /etc/shadow is locked down in terms of access and only login utilities can read it. There's no need for it to be texting it out, in the same way there's no need to ever "inform people" of what their password used to be. You just shouldn't be able to do it.
Least privilege principle.
You can't "stop" all the possible exploits, out-of-bounds, poor-sanitisation, etc. tricks.
But you CAN stop those things being able to do anything even vaguely interesting even if they do work.