Let me address your last question first, because this is a common misconception. There is no process or flow from the Cisco backend to the SCH enabled device. The flow is always from the device to Cisco. Enabling Call Home on a supported device does not give Cisco or anyone else access to that device.
Instead, Call Home, which is part of the OS, detects the fault, executes predetermined show commands and pushes that data to Smart Call Home.
We'll try to get more detail about the exact mechanism, but this is simply two local components of the operating system exchanging information. The account is only required when the customer has introduced external authentication. The password for that account is not required.