To access resources from a remote system, the user authentication is a very important security mechanism. Among remote authentication protocol, password-based authenticated key exchange protocol is most popular since the two communication entities only shared a human-memorable password can establish a session key which is used to protected their later communication over an insecure networks. Recently, Xu Zhu proposed improved password-based protocol using smart card based on previous research. He claims that his protocol is secure against various attacks. However, Song points out that the Xu Zhu’s protocol suffers from attacks. In addition, Song gives an improved version of Xu Zhu. In this paper, we first found Song’s protocol also is vulnerable to off-line dictionary attack. Later, we extend Song’s protocol so that the extended protocol can resist to off-line dictionary attack even if an adversary captures the smart card.