Note that existing client connections will /not/ be dropped when the password is changed on the cluster. Therefore you can:
Update the application with the “new” password, and code it to try both the old and new.
Change the bucket password; existing client connections will remain but new ones will need to produce the new password (which they can do if the old password first fails).
Once all clients have been recycled. the code for checking the old password can be removed.