Remote user authentication always adopts the method of password to login the server within insecure network environments. Recently, Peyravin and Jeffries proposed a practical authentication scheme based on one-way collision-resistant hash functions. However, Shim and Munilla independently showed that the scheme is vulnerable to off-line guessing attacks. In order to remove the weakness, Hölbl, Welzer and Brumenn presented an improved secure password-based protocols for remote user authentication, password change and session key establishment.  Unfortunately, the remedies of their improved scheme cannot work. The improved scheme still suffers from the off-line attacks. And the password change protocol is insecure against Denial-of-Service attack. A proposed scheme is presented which overcomes these weaknesses. Detailed cryanalysis show that the proposed password-based protocols for remote user authentication, password change and session key establishment are immune against man-in-the-middle attacks, replay attacks, password guessing attacks, outsider attacks, denial-of-Service attacks and impersonation attacks.