In the pure sense, /users/{id}/password and /users/{userName}/password are identical, unless you define a regex that asserts uniqueness between the two.
I don't know what are your user name restrictions, but if someone can use "123456" as a user name (which is a string), and that's also a possible id, you have a problem because there's ambiguity.
So, you can either define those two as two endpoints, each having its own distinctive "pattern" (regex) to properly isolate the instances, or have a single endpoint with a "pattern" accepting either/or options.
Keep in mind that some tools, such as swagger-tools, may give you a warning that these two endpoints are identical.