Switch password handler to passlib's PBKDF2

The passlib implementation of PBKDF2 is strong, portable and more
heavily audited. Use that instead of implementing our own custom
handler. Also simplify password use by dropping optional parameters
from the create and verify functions, and don't bother carrying the
old upgrade_legacy_hash public function forward; it can be reworked
to provide in-place hash upgrades later if desired.