In password-based or two-factor (password and smart card) authentications, password changing is one of common techniques used to improve the security of the systems protected by the password. However, the password-changing operations in existing password authentications either depend on the login phase or violate the common practice that an old password should not be valid for subsequent login after being updated. On the other hand, password mistyping is very common in reality, which may be random or be skewed by the adversary via technical means or social engineering manipulation [i.e., a kind of denial-of-service (DoS) attack]. In human-centric authentication mechanisms, password changing and DoS resilience are not marginal issues. The paper addresses the requirements of robust password changing in authentication and presents , a password authentication scheme with robust password changing, DoS resilience, and card-compromise security. Thus, the proposal can be viewed as a suitable candidate instantiation for authentication services of human-centric security, by embedding in the computer and software systems. also achieves other appealing features, such as self-healing ability and strong privacy protection, which may be useful for human-centric applications. Copyright © 2013 John Wiley & Sons, Ltd.