A hash output is binary. The pretty strings you usually see and seem to expect are produced by converting that into hexadecimal or some other printable representation. String::from_utf8 returns an error because the data you give it is not a [valid utf-8] string but some random bytes.
This will (inefficiently) produce a hexadecimal string.
let mut password_hash = String::with_capacity(out.len() * 2);
for c in out.iter() {
password_hash.push_str(&format!("{:02x}", c));
}