Howdy - I had the opportunity to actually do this on a production network.
I did not take downt the link between the primary (node0) and secondary (node1) . Just did a soft power down on the primary. Lost a couple of pings until the secondary took over. Booted the primary into single user mode - did a password recovery on the primary unit. When it came back up it came up into secondary mode. I checked password validation on both boxes. The newly booted box had the new password, the old secondary (node1) still had the old password.
I did a chassis failover to return the primary status to the newly booted box. I then checked pasword validation again. No change. I then did a commit on the new primary. The commit did NOT migrate to the secondary (node1) unit. I then changed the password again on the new primary (node0) box - did a commit. It was applied on both boxes and the new password was in effect.
I did not think about just making an innocuous configuration change to see if that would have pushed the password out to node1, instead of actually changing the password again.
It all worked really well. Hope this helps!