Changing a user decryption key passphrase requires both the physical data file (USB key or such) and the user's current passphrase. (If neither is available, create a new decryption key from scratch.)
Note if the user has more than one key, each one must be updated individually, or the file containing the key can be copied to the second location.
If a user's key or passphrase has been compromised, do not just change the user's passphrase. Since the key itself can be copied, and the passphrase is tied to the copy of the key, the compromised key can be used to access data. Instead, revoke the user's key and create a new one. This will make the old key and all of its copies useless, regardless of how many times it's been copied.