As described in RFC 7677, SCRAM-SHA-256 authentication provides challenge-response scheme, that prevents password sniffing on untrusted connections. It is more secure than the md5 method, but might not be supported by older clients.
SCRAM-SHA-256 authentication can be enabled in the host-based authentication configuration file.