Password authenticated key agreement protocol allows users to use an easy-to-remember password and establish a secure session key with the help of a trusted server. Recently, Farash and Attari proposed an improved key agreement protocol based on chaotic maps and they pointed out that Gong et al.'s protocol is vulnerable to stolen-verifier attack and password change pitfalls. However, in this paper, we analyze the security of Farash and Attari's protocol and show that it fails to resist known-key attack if the previous session key shared between two parties is compromised. In addition, their protocol is insecure against many logged-in users' attack and the server is not aware of having caused problem. To fill the security gaps, we further design an improved protocol for password authenticated key agreement with user anonymity. To the best of our knowledge, none of the recently proposed password authenticated key agreement protocols can ensure anonymous interactions between the login user and the remote server and this work is the first attempt to provide a secure user anonymity protocol without using smart cards and symmetric key en/decryptions in remote login environments.