We try not to break backwards compatibility in the ColdBox framework, but sometimes there's a compelling reason to do so.  In the notes for the 3.8 release you may have seen [COLDBOX-218] - Default reinit and debug hashed passwords.

Taking a cue from recent breaches on the Internet, we're focusing on making things more "secure by default".  That simply acknowledges that a lot of applications will never receive proper hardening, and if the out-of-the-box settings are secure, then the server is less likely to be left vulnerable.  Previously, if no ReinitPassword or DebugPassword settings were supplied in the config, we would allow the framework to be reinitialized and debug mode to be turned on without any password at all.  

While that may be convenient for people getting started in ColdBox, it's an invitation to hackers on a production server.  Starting with Coldbox 3.8, if you don't specify a ReinitPassword or a DebugPassword setting at all, you won't be able to reinitialize the framework or enable debug mode.  Don't worry, you can still use these features without a password on your development servers.  Simply specifiy an empty string for your ReinitPassword and DebugPassword settings.  If you have these settings defined already, you will have no change in functionality.  This will only affect ColdBox installs that have no setting at all.

More info here: http://wiki.coldbox.org/wiki/ConfigurationCFC.cfm#Development_Settings

P.S. You may find yourself in a catch-22 situation where you have no reinit password, but you can't apply a one without reinitting.  I this case, simply restart the CF engine or call ApplicationStop() to manually reload the framework and pick up your new settings.