prevent app_get_pass() from revealing cleartext password on syntax error

When the argument for '-pass' was badly formed, that argument got
displayed in full.  This turns out to not be such a good idea if the
user simply forgot to start the argument with 'pass:', or spellt the
prefix incorrectly.  We therefore change the display to say that a
colon is missing or only showing the incorrect prefix.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6218)