There are discussions dating back years on these forums outlining the headaches around both password setting as well as password changing for local administrator accounts. We've got the dscl -passwd approach, the sysadminctl -resetPasswordFor approach, some use the jamf binary...
We've had to dance with SecureToken limitations and messed up keychains, FileVault passwords not updating or staying in sync with an OS level passchange...
I was sitting here testing some methods for cycling a local administrator account's password (that has a secureToken enabled) and noticed that just performing a simple:
dscl . -passwd /Users/mylocaladmin <oldpassword> <newpassword>
not only updated the password within the OS, but also updated the filevault password AND updated the password on the keychain. I'm blown away. I remember jumping through hoops to get a successful and smooth change to all relevant areas of the user account. When did this change happen? Test machine is currently 10.15.6, but I'm tempted to wipe and try earlier OSes to find when it was introduced.
When cycling a known existing password on a local, secureToken enabled administrator account, what approach do you all do?
Combination of dscl, security set-keychain-password, and fdesetup remove/add?
EDIT: the dscl method works on a 10.14.6 machine I had laying around too, so its at least as early as that.