In this paper, we show that a verifier-based password authentication scheme and two remote user authentication schemes are insecure against several active attacks. These results demonstrate that no more password authentication schemes should be constructed with such ad-hoc methods, i.e, the formal design methodology using provable security should be employed.