There is no point in changing the miner's password after it has been already hacked, the hacker doe not need the password anymore, he is already INSIDE.

in most cases and according to my experience with the same nicehash hacker, even a reset does not fix this, and when you attempt a firmware upgrade from the web, it will show "updated" but it won't, the hacker tricks you into thinking it was updated when it was not, I had luck fixing this issue on antminer S9 by using the IP report button method to reset the miner and then quickly before the miner loads I rush to change the firmware, and it worked perfectly, another option would be SDcarding a different firmware and then immediately change the password.

But you should be extra paranoid, assume that every device you have on the network is infected, especially those windows PCs, so to be extra safe, you should either use another PC/Laptop or a mobile phone to change the password for the first time after the new firmware and if you have a Linux based system will be great, if not any of the prior options is good enough.