Passwords: check in constant time

The default password comparison logic does not use
constant time validation. Switching to constant time
offers a meager improvement by removing a timing
oracle.

A prepatory step in moving to Argon2id password storage, since we'll need this change anyway after
for validating existing passwords.

Co-authored-by: Graham Christensen <graham@grahamc.com>

src/lib/Hydra.pm

@@ -34,8 +34,7 @@ __PACKAGE__->config(
             credential => {
                 class => "Password",
                 password_field => "password",
-                password_type => "hashed",
-                password_hash_type => "SHA-1",
+                password_type => "self_check",
             },
             store => {
                 class => "DBIx::Class",