DETAILED ACTION
This office action is in reply to applicant communication filed on June 04, 2021.
 
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Claims 1-20 have been presented.
Claims 1-20 are pending. 

Response to Argument
Applicant’s arguments filed on June 04, 2021 with respect to the 35 USC 102/103 rejections of independent claims 1, 11, and 15 have been fully considered but they are not persuasive.

Applicant’s argues that the prior arts on record, Wheeler (US Pub. No. 2013/0269010) in view of Swann (US Pub. No. 2013/0055380) and further in view of Wu (US 9,654,466), fails to teach the limitation of independent claims, “… receiving, over a network connection in real-time from a user computer of a user, a first hash value corresponding to a first string of a plurality of strings of a password that is currently being inputted into a password creation field of an application”. Examiner respectfully disagrees.

A review of the prior art of the record (Wheeler), corresponding to the above argued claim limitation reveals that part of the argued claim limitation, (receiving from a user computer of a user, a first string of a plurality of strings of a password that is currently being inputted into a password creation field of an application) is disclosed by the Wheeler reference as, (paragraph 56 of Wheeler, the method is performed in one embodiment by account management system 100. The method receives a password (300) for evaluation. Next, the method identifies substrings (310) within the password, as described above. The substrings identified in the password may be dictionary words, common passwords, common names, keyboard patterns, and other types of patterns) and (paragraph 22 of Wheeler, the password strength module 104 identifies substrings within the password, scores the entropy for each substring based on the number of substrings generated by a pattern, combines the identified substrings, and selects the identified combination with the minimum entropy).

A review of the prior art of the record (Swann), corresponding to the above argued claim limitation reveals that the second part of the argued claim limitation, (using the hash of a password instead of just the password) is disclosed by the Swann reference as, (paragraph 44 of Swann, a determination is made as to whether the hashed password includes a predefined sequence of bytes) and (paragraph 46 of Swann, when it is determined at operation 508 that the hashed password does not include the predefined sequence of bytes, control returns to operation 504 and one or more characters are appended to the first password to form the second password).

A review of the prior art of the record (Wu), corresponding to the above argued claim limitation reveals that the last part of the argued claim limitation, (receiving, over a network connection in real-time from a user computer of a user ….) is disclosed by the Wu reference as, (column 1, line 15-20 of Wu, The present invention relates generally to the field of electronic transactions, and more particularly to methods and systems for performing electronic transactions using dynamic password authentication) and (column 6, line 14-21 of Wu, the hashed result is unique for each connection and consequently comprises a unique one-time password. The random character string is the input event to the mobile application and hence is event-based but not predictable. When a user submits the combination of a user ID, a static password, and the hashed result from the challenge string, the authentication server processor 108 may perform a number of functions to authenticate the user's identity). Also see the network connection of user mobile device in fig. 1 of Wu. 

Therefore, the art on record teaches the above claim limitation as discussed in the previous office action  and the rejection is respectfully maintained.






Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102 of this title, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains.  Patentability shall not be negated by the manner in which the invention was made.


Claims 1-20 are rejected under 35 U.S.C. 103 as being unpatentable over Wheeler (US Pub. No. 2013/0269010) in view of Swann (US Pub. No. 2013/0055380) and further in view of Wu (US 9,654,466).

	As per claim 1 Wheeler discloses:
A system, comprising: one or more hardware processors; a secure element; and a memory storing computer-executable instructions, that in response to execution by the one or more hardware processors, causes the system to perform operations comprising: receiving, from a user computer of a user, a first string that is input into a password field of an application provided by a service provider; (paragraph 56 of Wheeler, the method is performed in one embodiment by account management system 100. The method receives a password (300) for evaluation. Next, the method identifies substrings (310) within the password, as described above. The substrings identified in the password may be dictionary words, common passwords, common names, keyboard patterns, and other types of patterns).
Determining, based on accessing a database, data characteristics, the data characteristics indicating use of the first string as a password value by one or more other users; (paragraph 27 of Wheeler, the password scoring database 108 stores data for execution of functions by the password strength module 104. The information stored for the password strength module 104 includes information and data relevant for the password strength module 104 to identify substrings within a password and calculate measures of password strength. This data may include possible characters used in a password, keyboard layouts, common key substitutions, dictionaries, commonly used passwords) and (paragraph 44 of Wheeler, the measure of entropy for the substring is based on the word's frequency in a dictionary and any applicable character substitutions. The frequency of a word's use is considered because a frequently-used word in a password enables an adversary to determine a password with a smaller dictionary size and thereby attempt fewer dictionary words. For an adversary to identify an uncommon or rare word requires the adversary to use a larger dictionary of words).
Determining, based on the data characteristics, a password strength; and causing the user computer to display an indication of the password strength. (Paragraph 8 of Wheeler, a system, method, and storage medium provide password strength metrics based on a measure of entropy of passwords, and provide improved ratings to users that better indicate the strength of passwords based on such entropy measures) and (paragraph 15 of Wheeler, the account management system 100 provides feedback to users to indicate the relative strength of a user's password).
Wheeler teaches the method of providing feedback to the user to indicate the relative strength of password (see paragraph 15 of Wheeler) but fails to disclose the method of determining the strength of a password based on the hash value of the password. However, in the same field of endeavor, Swann teaches this limitation as, (paragraph 44 of Swann, a determination is made as to whether the hashed password includes a predefined sequence of bytes) and (paragraph 46 of Swann, when it is determined at operation 508 that the hashed password does not include the predefined sequence of bytes, control returns to operation 504 and one or more characters are appended to the first password to form the second password).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Wheeler and include the above limitation using the teaching of Swann in order to secure the communication of the password by hashing the password with some kind of hash function.
The combination of Wheeler and Swann teaches the method of receiving from a user computer of a user, a first hash value corresponding to first string that is inputted into a password field (see paragraph 56 of Wheeler) but fails to disclose the method of receiving, over network connection, in real-time a first hash value corresponding to a first string of plurality of strings of password that is currently being inputted into a password creation field and accessing the hashed password database. However, in the same field of endeavor, Wu teaches this limitation as, (column 1, line 15-20 of Wu, The present invention relates generally to the field of electronic transactions, and more particularly to methods and systems for performing electronic transactions using dynamic password authentication) and (column 6, line 14-21 of Wu, the hashed result is unique for each connection and consequently comprises a unique one-time password. The random character string is the input event to the mobile application and hence is event-based but not predictable. When a user submits the combination of a user ID, a static password, and the hashed result from the challenge string, the authentication server processor 108 may perform a number of functions to authenticate the user's identity). Also see the network connection of user mobile device in fig. 1 of Wu.
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Wheeler and Swann to include the above limitation using the teaching of Wu in order to authenticate user input password character by character and avoid retyping every character in case of incorrectly typed character.

Claim 15 is rejected under the same reason set forth in rejection of claim 1:

As per claim 2 Wheeler in view of Swann and further in view of Wudiscloses:
The password strength module identifies substrings within the password, and identifies substring combinations that form the password using the substrings. Given a substring in a combination, the module determines whether the substring can be generated from one or more patterns).

Claim 16 is rejected under the same reason set forth in rejection of claim 2:

As per claim 3 Wheeler in view of Swann and further in view of Wu discloses:
The system of claim 2, wherein the first string and the second string each correspond to a single character respectively. (Paragraph 32 of Wheeler, the substring identification module 200 identifies substrings within the password. The password is parsed into substrings for each combination of sequential characters within the password. For example, the password "BAD" has substrings B, A, D, BA, AD, and BAD. The substring identification module 200 determines whether each substring matches any patterns stored in the password scoring database 108).

As per claim 4 Wheeler in view of Swann and further in view of Wu discloses:
The system of claim 1, wherein the database stores mappings between a plurality of hash values and respective data characteristics that indicate use of strings represented by the hash values as passwords by a plurality of users. (Paragraph 34 of Wheeler, the substring identification module 200 compares the substrings to a set of words. The set of words is stored in the password scoring database 108. For example, to determine if a substring is a most frequently used password, the substring is compared against the list of common passwords stored in the password scoring database 108).



As per claim 5 Wheeler in view of Swann and further in view of Wu discloses:
The system of claim 4, wherein the plurality of hash values include the first hash value and the plurality of users includes the one or more other users. (Abstract of Wheeler, the password is parsed and substrings are identified from the password. Each substring is associated with a pattern that can generate the substring. The substrings are scored to determine a substring strength measure for the substring) and (paragraph 26 of Wheeler, the user accounts database 106 maintains information relating to the user accounts. The user accounts database 106 stores usernames, passwords, and various user data according to the system implementing account management system 100).

Claim 18 is rejected under the same reason set forth in rejection of claim 5:

As per claim 6 Wheeler in view of Swann and further in view of Wu discloses:
The system of claim 1, wherein the data characteristics include frequency information indicating a number of instances in which the first string represented by the first hash value has been input as a potential password for one or more applications. (Paragraph 53 of Wheeler, combination strength based on the arrangement of substrings is determined with reference to a frequency rating of various substring combinations. The frequency rating is determined based on lists of frequent or common passwords and can identify the frequency that particular substring combinations are used).

Claim 19 is rejected under the same reason set forth in rejection of claim 6:

As per claim 7 Wheeler in view of Swann and further in view of Wu discloses:
The combination of Wheeler and Wu teaches the method of providing feedback to the user to indicate the relative strength of password (see paragraph 15 of Wheeler) but fails to disclose:

However, in the same field of endeavor, Swann teaches this limitation as, (paragraph 44 of Swann, a determination is made as to whether the hashed password includes a predefined sequence of bytes) and (paragraph 46 of Swann, when it is determined at operation 508 that the hashed password does not include the predefined sequence of bytes, control returns to operation 504 and one or more characters are appended to the first password to form the second password).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Wheeler and Wu to include the above limitation using the teaching of Swann in order to generate a strong password and secure computing system using the strong password.

Claim 20 is rejected under the same reason set forth in rejection of claim 7:

As per claim 8 Wheeler in view of Swann and further in view of Wu discloses:
The system of claim 7, wherein the operations further comprise: transmitting an error notification to the user computer in response to determining that the first hash value fails to satisfy the one or more password rules. (Paragraph 46 of Swann, when it is determined at operation 508 that the hashed password does not include the predefined sequence of bytes, control returns to operation 504 and one or more characters are appended to the first password to form the second password).

As per claim 9 Wheeler in view of Swann and further in view of Wu discloses:
The combination of Wheeler and Wu teaches the method of providing feedback to the user to indicate the relative strength of password (see paragraph 15 of Wheeler) but fails to disclose:

However, in the same field of endeavor, Swann teaches this limitation as, (paragraph 44 of Swann, a determination is made as to whether the hashed password includes a predefined sequence of bytes) and (paragraph 46 of Swann, when it is determined at operation 508 that the hashed password does not include the predefined sequence of bytes, control returns to operation 504 and one or more characters are appended to the first password to form the second password. Typically one character is applied to the end of the first password to form the second password and the one character that is applied is different than the one character previously applied).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Wheeler and Wu to include the above limitation using the teaching of Swann in order to generate a strong password and secure computing system using the strong password.

As per claim 10 Wheeler in view of Swann and further in view of Wu discloses:
The system of claim 1, wherein the system is maintained by a service provider and the password creation field corresponds to a user interface component provide via a service provider application of the service provider. (Paragraph 16 of Wheeler, a user device 110 communicates with the account management system 100 to manage a user's account with the account management system 100. The user device 110 is a computing device suitable for communicating with the account management system 100 and may be any such system).

As per claim 11 Wheeler discloses:
A method, comprising: receiving, by a user computer, successive text character inputs into a password field of an application provided by a service provider, each successive text character input forming a respective text string; (paragraph 56 of Wheeler, the method receives a password (300) for evaluation. Next, the method identifies substrings (310) within the password, as described above. The substrings identified in the password may be dictionary words, common passwords, common names, keyboard patterns, and other types of patterns).
For each respective text string: receiving, from the service provider server in response to the transmitting of the corresponding password, a password strength associated with the corresponding hash value; and displaying, by the user computer, an indication of the password strength. (Paragraph 8 of Wheeler, a system, method, and storage medium provide password strength metrics based on a measure of entropy of passwords, and provide improved ratings to users that better indicate the strength of passwords based on such entropy measures) and (paragraph 15 of Wheeler, the account management system 100 provides feedback to users to indicate the relative strength of a user's password).
Wheeler teaches the method of providing feedback to the user to indicate the relative strength of password (see paragraph 15 of Wheeler) but fails to disclose the method of generating a corresponding hash value and transmitting the corresponding hash value to a service provider server associated with the service provider. However, in the same field of endeavor, Swann teaches this limitation as, (paragraph 44 of Swann, a determination is made as to whether the hashed password includes a predefined sequence of bytes) and (paragraph 46 of Swann, when it is determined at operation 508 that the hashed password does not include the predefined sequence of bytes, control returns to operation 504 and one or more characters are appended to the first password to form the second password) and (paragraph 43 of Swann, a hash function is applied to the second password to form a hashed password. The hash function is typically a cryptographic hash function, although other hash functions may be used. The hashed password is a bit string that includes one or more hexadecimal characters).
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Wheeler and include the above limitation using the teaching of Swann in order to secure the communication of the password by hashing the password with some kind of hash function.
The combination of Wheeler and Swann teaches the method of receiving from a user computer of a user, a first hash value corresponding to first string that is inputted into a password field (see paragraph methods and systems for performing electronic transactions using dynamic password authentication involve, for example, sending, using a backend processor, a unique random or pseudorandom character string to the user's mobile device processor). Also see the network connection of user mobile device in fig. 1 of Wu
Therefore, it would have been obvious to one of ordinary skill in the art before the effective filing date of the claimed invention to modify the teaching of Wheeler and Swann to include the above limitation using the teaching of Wu in order to authenticate user input password character by character and avoid retyping every character in case of incorrectly typed character.

As per claim 12 Wheeler in view of Swann and further in view of Wu discloses:
The method of claim 11, wherein the transmitting the corresponding hash value causes the service provider server to perform operations comprising: determining data characteristics associated with the corresponding hash value, the data characteristics indicating usage of the respective text string as a password by one or more other users. (Paragraph 27 of Wheeler, the password scoring database 108 stores data for execution of functions by the password strength module 104. The information stored for the password strength module 104 includes information and data relevant for the password strength module 104 to identify substrings within a password and calculate measures of password strength. This data may include possible characters used in a password, keyboard layouts, common key substitutions, dictionaries, commonly used passwords) and (paragraph 44 of Wheeler, the measure of entropy for the substring is based on the word's frequency in a dictionary and any applicable character substitutions. The frequency of a word's use is considered because a frequently-used word in a password enables an adversary to determine a password with a smaller dictionary size and thereby attempt fewer dictionary words. For an adversary to identify an uncommon or rare word requires the adversary to use a larger dictionary of words).


The method of claim 12, wherein the data characteristics include frequency information indicating a number of instances in which the text string represented by the corresponding hash value has been input as a potential password for one or more applications. (Paragraph 53 of Wheeler, combination strength based on the arrangement of substrings is determined with reference to a frequency rating of various substring combinations. The frequency rating is determined based on lists of frequent or common passwords and can identify the frequency that particular substring combinations are used).

As per claim 14 Wheeler in view of Swann and further in view of Wu discloses:
The method of claim 11, wherein the transmitting the corresponding hash value to the service provider server occurs without transmitting the respective text string to the service provider server. (Paragraph 44 of Swann, a determination is made as to whether the hashed password includes a predefined sequence of bytes) and (paragraph 46 of Swann, when it is determined at operation 508 that the hashed password does not include the predefined sequence of bytes, control returns to operation 504 and one or more characters are appended to the first password to form the second password) and (paragraph 43 of Swann, a hash function is applied to the second password to form a hashed password. The hash function is typically a cryptographic hash function, although other hash functions may be used. The hashed password is a bit string that includes one or more hexadecimal characters).

Conclusion
The prior art made or record and not relied upon is considered pertinent to applicant’s disclosure is Logan (US 9,171,147). Logan discloses the methods and systems for creating and encrypting rich formatted passwords that increase password strength and security.

THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  


Any inquiry concerning this communication or earlier communications from the examiner should be directed to TESHOME HAILU whose telephone number is (571)270-3159.  The examiner can normally be reached on M-F 8 a.m. - 5 p.m..
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kambiz Zand can be reached on (571) 272-3811.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/TESHOME HAILU/Primary Examiner, Art Unit 2434