Enable scram-sha-256 as the default password_encryption method instead of md5

[iSignal]

Jira Link: DB-2236 scram-sha-256 allows a challenge-response based authentication instead of md5 which simply seems to send over the MD5 of the password, afaik.

Client support for scram-sha-256 is described in https://wiki.postgresql.org/wiki/List_of_drivers#Drivers and scram-sha-256 mode of auth is described in https://info.crunchydata.com/blog/how-to-upgrade-postgresql-passwords-to-scram

This should be the default auth mode enabled when the --ysql_enable_auth flag is specified.
[Steve]: I believe that the password_encryption is used regardless of whether authentication is enabled or not. It's just that when enabled, any existing passwords must be in the expected hashed format or they cannot be used.]

If we are concerned about client compatibility, we could make it default to scram-sha-256 falling back to md5.

[sstubbs]

This would be great. Is there any way to enable scram-sha-256 manually now?

[stevebang]

Here are some additional advantages of using SCRAM-SHA-256 over MD5:

• SCRAM-SHA-256 hashing occurs when passwords are set, resulting in faster and cheaper authentication events.
• For each authentication attempt, SCRAM-SHA-256 pushes hashing to the client, where it can be cached. As a result of client hashing, SCRAM-SHA-256 is more resistant to offline attacks — for each password an attacker attempts, the password must be hashed again.

[stevebang]

@sstubbs Yes, you can enable scram-sha-256 now. Documentation on enabling it is in draft PR #5391, which I'll publish after clarifying migration steps.