Recently, Rhee et al. proposed a remote user authentication scheme using aommon storage devices, such as USB memory sticks, PDAs, and mobile phones, instead of using smart cards, while preserving the merits of smart cards. In this work, we will show that Rhee et al.'s scheme is vulnerable to two different types of user impersonation attacks and the insider attack. We then propose an improvement to remedy these weaknesses.