Make it easier to provide API token securely

Currently the readme recommends passing the token as an arg. This is tricky to do securely without the token ending up in terminal history. It would be nice if `ynab auth login` with no args was interactive and allowed pasting the token in such a way that it isn't potentially exposed.