In order to make it impossible to log in to an account using a password, all that’s needed is for the shadow password entry to be an invalid hash – the usual way to achieve that is to prepend a ! character, which you can do with the -l or --lock option of the passwd command. From man passwd:
-l, --lock Lock the password of the named account. This option disables a password by changing it to a value which matches no possible encrypted value (it adds a ´!´ at the beginning of the password). Note that this does not disable the account. The user may still be able to login using another authentication token (e.g. an SSH key). To disable the account, administrators should use usermod --expiredate 1 (this set the account's expire date to Jan 2, 1970). Users with a locked password are not allowed to change their password.
If you really want to replace the hashed password with the single character * however, you can do so with the usermod command:
sudo usermod -p '*' someuser
See also: