I am currently busy trying to lock down (secure wise) APEX, which is, to say the least, very hard… Anyway one of my tricks from the old days (the days you couldn’t lock an account / database schema), was to lock an user account via the following alternative use of the ALTER USER statement
ALTER USER {username} IDENTIFIED BY VALUES ' {String} '
of course nowadays you can use the more complete syntax
ALTER USER {username} IDENTIFIED BY VALUES ' {String} ' ACCOUNT LOCK
Most of the time this method is used to reset the password to its original value.
I noticed in my (secured) Oracle 11g EE database version that passwords are not shown anymore via DBA_USERS