Kim and Chung previously proposed a password-based user authentication scheme to improve Yoon and Yoo's scheme. However, Kim and Chung's scheme is still vulnerable to an offline password guessing attack, an unlimited online password guessing attack, and server impersonation. We illustrate how their scheme can be compromised and then propose an improved scheme to overcome the weaknesses. Our improvement is based on the Rabin cryptosystem. We verify the correctness of our proposed scheme using the BAN logic.