The personal health records (PHRs) is a patient-centered information exchange model that allows people to autonomously maintain and manage their own personal records, including access and share their lifelong health information. A method must be implemented to protect PHRs on unsecured network and to prevent unauthorized users from accessing and modifying the PHRs during data transmission with the servers. User authentication protocols should be able to ensure the safety of user communications and data transmission on unsecured networks. Password-based user authentication is the most widely used among the currently available authentication mechanisms because of its convenience and efficiency. A password mechanism offers advantages because of its simplicity and the dependence on human’s memories. On the other hand, it is easily cracked by brute force attacks such offline guessing attacks or spoofing attack and impersonation problems that may occur when the password is hacked. Therefore, this study aimed to investigate the usage of a dynamic password-based user authentication scheme on PHRs in which the characteristics of a dynamic password would prevent attackers from intercepting the correct password or guessing a user’s password. Additionally, the scheme developed in this study can also resist common attacks such as replay attacks, stolen-verifier attacks, server spoofing attacks, and impersonation attacks, among others.