Recently Fang et al. (2011) proposed a password-based remote user authentication scheme using smart cards for resource-constrained environment, and claimed that their scheme was secure and practical. However, it is found that their scheme can not achieve the claimed security, it is vulnerable to offline password guessing attack, parallel session attack and known key attack. In addition, the password change phase of their scheme is not user-friendly and practical. Consequently, an improved scheme is presented and analyzed, the analysis shows that new scheme eliminates the defects of Fang et al.s scheme while keeping the merit of high performance, suitable for resource-constrained and security-concerned application scenarios.