Obfuscate database password to avoid accidentally leaking it in logs

[alco]

Fix #1718.

Obfuscation is implemented by wrapping the password in a zero-arity function as early as possible, so that the password is never stored in cleartext in any of our processes' state. The deobfuscation happens right before passing connection options to Postgrex. This creates an explicit point of hand-off where the responsibility for keeping the password from getting leaked is transfered from our code to Postgrex.