Session Initiation Protocol (SIP) is one of the most commonly used protocols for handling sessions for over Internet Protocol based communications, and the security of SIP is becoming increasingly important. Recently, Zhang et al. proposed a password-authenticated key agreement protocol for SIP by using smart cards to protect the VoIP communications between users. Their protocol provided some unique features, such as mutual authentication, no password table needed, and password updating freely. In this study, we performed cryptanalysis of Zhang et al.'s protocol and found that their protocol was vulnerable to the impersonation attack although the protocol could withstand several other attacks. A malicious attacker could compute other users' privacy keys and then impersonated the users to cheat the SIP server. Furthermore, we proposed an improved password-authentication key agreement protocol for SIP, which overcame the weakness of Zhang et al.'s protocol and was more suitable for Voice over Internet Protocol communications. Copyright © 2014 John Wiley & Sons, Ltd.