In 2015, Tso et al.'s demonstrated that the researchers password authentication scheme could not achieve the user anonymity property and do not allow changing password freely for the user. Then, they proposed a new method to remedy the weaknesses. However, this paper points out that Tso et al.'s scheme is still vulnerable to online password guessing attack and denial of service attack using stolen smart card unlike their claims. For this reason, Tso et al.'s scheme is insecure for practical application.