Changing a user decryption key passphrase requires both the physical data file and the user's current passphrase. (If neither is available, create a new decryption key from scratch.)
Note: if the user has more than one key, either each one must be updated individually, or the file containing the key can be copied to the second location.
If a user's key or passphrase has been compromised, do not just change the user's passphrase. Since the key itself can be copied, and the passphrase is associated only with the copy of the key, the compromised key can be used to access data. Instead, revoke the user's key and create a new one. This will make the old key and all of its copies useless, regardless of how many times it's been copied.