Security flaw of Hölbl et al.’s protocol

Recently, Hölbl et al. [M. Hölbl, T. Welzer, B. Brumen, Improvement of the Peyravian–Jeffries’s user authentication protocol and password change protocol, Computer Communications 31 (2008) 1945–1951] have proposed an improvement of Peyravian–Jeffries’s user authentication protocol and password change protocol [M. Peyravian, C. Jeffries, Secure remote user access over insecure networks, Computer Communications 29 (5–6) (2006) 660–667]. Peyravian–Jeffries’s scheme suffers from an active off-line password-guessing attack [J. Munilla, A. Peinado, Off-line password-guessing attack to Peyravian–Jeffries’s remote user authentication protocol, Computer Communications 30 (1) (2006) 52–54], and Hölbl et al. state that their improved protocol overcomes this weakness. However, we show in this paper that although this proposed protocol prevents this active attack, it remains vulnerable to a passive (simpler) off-line password-guessing attack.