Introduce new PBKDF2 SHA512 devise encryptor

Use PBKDF2 using SHA512. SHA512 by itself is supported by devise-encryptable gem, but it also doesn't use the standard hash format that embeds the hash type, salt, and stretches.

We will implement our own support for PBKDF2 using SHA512 based on devise-encryptable and using the hashing format $pbkdf2-sha512$<num rounds>$<salt>$<hash>. We can certainly attempt to contribute the changes upstream.

The advantages include not needing to add a second column and the ability to change the default stretches later without breaking existing passwords.

Original description

In order use a FIPS approved algorithms for hashing login passwords, we need to replace the currently used brcypt devise encryptor and update the password to be stored using SHA512.

In order to seamlessly change the hashing algorithm during login:

1. introduce a DB new column to store encryptor type (currently brcypt)
2. during successful login:
   • if encryptor type is bcrypt, update the password to store as SHA512

Availability & Testing

What risks does this change pose to our availability?

Any mishap could cause the users to be locked out of the application.

What additional test coverage or changes to tests will be needed?

• Run package-and-qa job on the MR to ensure end-to-end tests are fine.
• Perform manual testing on Staging environment by logging in and logging out and then re-logging in.