In 2005, Sun et al's proposed a user-friendly remote authentication scheme. In order to improve the efficiency of the authentication process, their method is based on one-way hash function. Unlike previous methods, Sun's method allows the user to choose and change the password locally without connecting to the server. It can resist replay attack, impersonation attack, guessing password attack, denial of service attack. However, in this paper we will point out that their scheme is vulnerable to privileged insider attack, and an enhanced scheme is proposed to eliminate the weakness.