DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
An Examiner's Amendment to the record appears below. Should the changes and/or additions be unacceptable to Applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.


Examiner Amendments

In attempt to accelerate the prosecution process, the Examiner has contacted the Applicant’s representative, Mr. Janniello, James (Reg. No: 54197), and conducted a telephone interview on May 7, 2021. During the interview, the Examiner proposed an examiner amendment to the claims with some minor amendments for better clarity of the claims’ scope, and for putting the application in condition for allowance. 
Authorization for this Examiner's Amendment was given in a telephone interview with Applicant's representative Mr. Janniello, James (Reg. No: 54197) on May 7, 2021.





Claims

Please replace claims as following:

Claim 1. 	(Previously Presented) A method for improving a security performance of a computer system, said method comprising:
obtaining, by a validation component executing on at least one hardware processor of said computer system, a specification of a putative password including an initial strength of said putative password;
accessing a plurality of stores of known passwords, the plurality of stores of known passwords comprising at least one store corresponding to hashed and salted passwords, at least one store corresponding to hashed but not salted passwords, and at least one store corresponding to clear text passwords;
risk-scoring, by said validation component executing on said at least one hardware processor, said putative password by reducing said initial strength of said putative password by a predetermined amount for each instance of said putative password in said plurality of stores of known passwords comprising said at least one store corresponding to hashed and salted passwords, said at least one store corresponding to hashed but not salted passwords, and said at least one store corresponding to clear text passwords; 
obtaining, at said computer system, a specification of an actual password chosen in accordance with said risk score of said putative password;
controlling access to at least one aspect of said computer system based on said actual chosen password; and


Claim 2.	(Original) The method of Claim 1, wherein said actual chosen password is identical to said putative password, based on said risk-scoring indicating acceptable risk.

Claim 3.	(Original) The method of Claim 1, wherein said actual chosen password is different than said putative password, based on said risk-scoring indicating unacceptable risk.

Claim 4.	(Previously Presented) The method of Claim 1, further comprising: 
obtaining, from said plurality of stores, access to said known passwords; and downloading said known passwords from said plurality of stores.

Claim 5.	(Cancelled) 

Claim 6. 	(Cancelled) 

Claim 7. 	(Previously Presented) The method of Claim 1, further comprising crawling a network of computers to locate and obtain said known passwords.



Claim 9. 	(Previously Presented) The method of Claim 3, wherein:
said known passwords are stored in a plurality of formats; and
said risk scoring of said putative password comprises separately querying in each of said stored formats.

Claim 10. 	(Previously Presented) The method of Claim 9, wherein said reducing said initial strength of said putative password comprises:
	querying those of said stores corresponding to hashed and salted passwords;
decreasing said initial password strength by a first predetermined amount for said putative password found in said stores corresponding to hashed and salted passwords, to obtain a first revised score;
querying those of said stores corresponding to hashed but not salted passwords;
decreasing said first revised score by a second predetermined amount for said putative password responsive to said putative password being found in said stores corresponding to said hashed but not salted passwords, to obtain a second revised score;
querying those of said stores corresponding to clear text passwords; and
stores corresponding to said clear text passwords, to obtain a third revised score.

Claim 11. 	(Previously Presented) The method of Claim 10, wherein said risk scoring further comprises:
decreasing said first revised score by a third predetermined amount when said putative password is found to be external in said stores corresponding to hashed and salted passwords; and
decreasing said second revised score by a fourth predetermined amount when said putative password is found to be external in said stores corresponding to hashed but not salted passwords.

Claim 12.	(Cancelled)

Claim 13.	(Original) The method of Claim 10, further comprising: 
	calculating said initial password strength with a separate password service; and returning said third revised score to said separate password service.

Claim 14.	(Original) The method of Claim 13, further comprising embedding said separate password service and said validation component in a browser executing on said at least one hardware processor to assist a user in password selection.



Claim 16. 	(Currently Amended) A non-transitory computer readable medium comprising computer executable instructions which when executed by a computer cause the computer to perform a method for improving the security performance of the computer, said method comprising: 
obtaining, with a validation component executing on the computer, a specification of a putative password including an initial strength of said putative password;
accessing a plurality of stores of known passwords, the plurality of stores of known passwords comprising at least one store corresponding to hashed and salted passwords, at least one store corresponding to hashed but not salted passwords, and at least one store corresponding to clear text passwords;
risk-scoring, with said validation component executing on the computer, said putative password by reducing said initial strength of said putative password by a predetermined amount for each instance of said putative password in said plurality of stores of known passwords comprising said at least one store corresponding to hashed and salted passwords, said at least one store corresponding to hashed but not salted passwords, and at least one store corresponding to clear text passwords; 
obtaining, at said computer system, a specification of an actual password chosen in accordance with said risk score of said putative password; [[and]]
controlling access to at least one aspect of said computer system based on said actual chosen password; and
issuing an alert when said putative password is found to be external in said at least one store corresponding to said clear text passwords.

Claim 17. 	(Currently Amended) An apparatus comprising:
a memory;  
at least one processor, coupled to said memory; and
a non-transitory computer readable medium comprising computer executable instructions which when loaded into said memory cause said at least one processor to:
instantiate a retrieval component;
instantiate a validation component;
obtain, with said validation component, a specification of a putative password including an initial strength of said putative password;
access a plurality of stores of known passwords, the plurality of stores of known passwords comprising at least one store corresponding to hashed and salted passwords, at least one store corresponding to hashed but not salted passwords, and at least one store corresponding to clear text passwords;
risk-score, with said validation component, said putative password by reducing said initial strength of said putative password by a predetermined amount for each instance of said putative password in said plurality of stores of known passwords comprising said at least one store corresponding to hashed and salted passwords, said at least one store corresponding to hashed but not salted passwords, and said at least one store corresponding to clear text passwords; 

control access to at least one aspect of said computer system based on said actual chosen password; and
issue an alert when said putative password is found to be external in said at least one store corresponding to said clear text passwords.

Claim 18.	(Previously Presented) The apparatus of Claim 17, wherein said non-transitory computer readable medium further comprises computer executable instructions which when loaded into said memory cause said at least one processor to be further operative to: 
instantiate a separate password service;
calculate said initial password strength with said separate password service, wherein said risk-scoring comprises reducing said initial password strength; and 
return said reduced initial password strength to said separate password service.

Claim 19. 	(Original) The apparatus of Claim 18, wherein said non-transitory computer readable medium further comprises computer executable instructions which when loaded into said memory cause said at least one processor to be further operative to:
instantiate a browser; and
embed said separate password service and said validation component in said browser.



Claim 21.	(Cancelled) 

Claim 22.	(Cancelled) 


Examiner’s Statement of reason for Allowance
Claims 1-4, 7-11 and 13-20 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The present invention is to retrieval a list of known compromised passwords. A validation component executing hardware processor obtains a specification of a putative password and risk-scores. The system obtains a specification of an actual password chosen in accordance with the risk score of the putative password. Access the computer system is controlled based on the actual chosen password. P201706893US01 
The closest prior art, as previously recited, are Aggarwal (US 20140373088), Altman (US 9379896), Yedidi (US 20170346797) in which, Aggarwal discloses evaluate the password to ascertain its strength. The evaluation is based on a probabilistic password cracking system that is trained on sets of revealed passwords and that can generate password guesses in highest probability order. If the user's proposed password is strong enough, the proposed password is accepted. If the 
However, none of Aggarwal (US 20140373088), Altman (US 9379896), Yedidi (US 20170346797),teaches or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent Claim1 and similarly Claim 16 and Claim 17. For example, none of the cited prior teaches or suggest the steps of Claim 1 and similarly Claim 16 and Claim 17: obtaining, by a validation component executing on at least one hardware processor of said computer system, a specification of a putative password including an initial strength of said putative password; 	accessing a plurality of stores of known passwords, the plurality of stores of known passwords comprising at least one store corresponding to hashed and salted passwords, at least one store corresponding to hashed but not salted passwords, and at least one store corresponding to clear text passwords; risk-scoring, by said validation component executing on said at least one hardware processor, said putative password by reducing said initial strength of said putative password by a predetermined amount for each instance of said putative password in said plurality of stores of known passwords comprising said at least one store corresponding to hashed and salted passwords, said at least one store corresponding to hashed but not salted passwords, and said at least one store corresponding to clear text passwords; obtaining, at said computer system, a specification of an actual password chosen in accordance with said risk score of said putative password; controlling access to at least one aspect of said computer system based on said actual chosen password; and issuing an alert when said putative password is found to be external in said at least one store corresponding to said clear text passwords.  

Therefore the claims are allowable over the cited prior art.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CHAO WANG whose telephone number is (313)446-6644.  The examiner can normally be reached on Monday-Friday 7:30-4:30PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on (571)270-5002. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  
For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.
	

	/C.W./Examiner, Art Unit 2439                                                                                                                                                                                                        


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439