There are several password-based authentication methods. These methods operate similarly but differ in how the users' passwords are stored on the server and how the password provided by a client is sent across the connection.
scram-sha-256
       The method scram-sha-256 performs SCRAM-SHA-256
       authentication, as described in
       RFC 7677.  It
       is a challenge-response scheme that prevents password sniffing on
       untrusted connections and supports storing passwords on the server in a
       cryptographically hashed form that is thought to be secure.
      
This is the most secure of the currently provided methods, but it is not supported by older client libraries.
md5
       The method md5 uses a custom less secure challenge-response
       mechanism.  It prevents password sniffing and avoids storing passwords
       on the server in plain text but provides no protection if an attacker
       manages to steal the password hash from the server.  Also, the MD5 hash
       algorithm is nowadays no longer considered secure against determined
       attacks.
      
       To ease transition from the md5 method to the newer
       SCRAM method, if md5 is specified as a method
       in pg_hba.conf but the user's password on the
       server is encrypted for SCRAM (see below), then SCRAM-based
       authentication will automatically be chosen instead.
      
password
       The method password sends the password in clear-text and is
       therefore vulnerable to password “sniffing” attacks. It should
       always be avoided if possible. If the connection is protected by SSL
       encryption then password can be used safely, though.
       (Though SSL certificate authentication might be a better choice if one
       is depending on using SSL).
      
    PostgreSQL database passwords are
    separate from operating system user passwords. The password for
    each database user is stored in the pg_authid system
    catalog. Passwords can be managed with the SQL commands
    CREATE ROLE and
    ALTER ROLE,
    e.g., CREATE ROLE foo WITH LOGIN PASSWORD 'secret',
    or the psql
    command \password.
    If no password has been set up for a user, the stored password
    is null and password authentication will always fail for that user.
   
    The availability of the different password-based authentication methods
    depends on how a user's password on the server is encrypted (or hashed,
    more accurately).  This is controlled by the configuration
    parameter password_encryption at the time the
    password is set.  If a password was encrypted using
    the scram-sha-256 setting, then it can be used for the
    authentication methods scram-sha-256
    and password (but password transmission will be in
    plain text in the latter case).  The authentication method
    specification md5 will automatically switch to using
    the scram-sha-256 method in this case, as explained
    above, so it will also work.  If a password was encrypted using
    the md5 setting, then it can be used only for
    the md5 and password authentication
    method specifications (again, with the password transmitted in plain text
    in the latter case).  (Previous PostgreSQL releases supported storing the
    password on the server in plain text.  This is no longer possible.)  To
    check the currently stored password hashes, see the system
    catalog pg_authid.
   
    To upgrade an existing installation from md5
    to scram-sha-256, after having ensured that all client
    libraries in use are new enough to support SCRAM,
    set password_encryption = 'scram-sha-256'
    in postgresql.conf, make all users set new passwords,
    and change the authentication method specifications
    in pg_hba.conf to scram-sha-256.