In this paper, we indicate two pairing-based remote user authentication scheme are insecure. First, a proposed authentication scheme suffers from the impersonation attack. The malicious adversary intercepts valid information from the login request, modifies it, and is able to impersonate the legitimate user to pass the authentication. Secondly, we also point out another authentication scheme, using bilinear pairing and elliptic curve cryptography, will suffer from the off-line dictionary attack. Under the user selecting the same random number for two distinct login, the attacker could calculate out the private secret of the user, and impersonate to be the legitimate user to login the system.