The passwd command changes passwords for user accounts. A normal user may only change the password for their own account, while the superuser may change the password for any account.
passwd also changes the account or associated password validity period.
immediately expire a password, force user to change
…
-l, --lock
lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value (it adds a ´!´ at the beginning of the password).
Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key).
not allowed to change their password
…
-u, --unlock
This option re-enables a password by changing the password back to its previous value (to the value before using the -l option).