I couldn’t find evidence that Duplicati accepts the web UI password through an environment variable.
That documentation might just be kind of boilerplate about how one can set enviroronment variables.
The password required to access the webserver. This option is saved so you do not need to set it on each run. Setting an empty value disables the password.
Above is from Duplicati.Server.exe documentation. On Linux I think this is usually controlled by systemd and accepts options in /etc/default/duplicati. Alternatively you can maybe systemctl stop duplicati and run the wrapper script /usr/bin/duplicati by hand, adding that option to see if you can set as desired.
Password verification data is in Duplicati-server.sqlite, possibly in the Duplicati user’s ~/.config/Duplicati which is (I think – I don’t use Docker) supposed to be mapped onto a host file so it survives new Docker.
I mention all this in case you dare try this again. You should be able to backup your configs, just in case.