DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This office action is in response to amendment filed on 07/13/2021. After the examiner’s amendment shown below, claims 1, 14 and 24 are independent. Claims 19 and 25 are cancelled. Claims 1, 14, 24 and 26-27 are amended. Thus, claims 1-18, 20-24 and 26-27 are pending and being considered.

Examiner’s Amendment
An examiner’s amendment to the record appears below. Should the changes and/or additions be unacceptable to applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this examiner’s amendment was given in a telephone interview with the applicant’s representative- Mr. Christopher Anderson (Reg. No. 77,898) on 08/10/2021. The summary of the interview is attached.

Amendments to the Claims
The application has been amended as followed:
1. (Currently Amended) A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one 
securely maintaining data associated with a plurality of authentication credentials, the plurality of authentication credentials being useable by a plurality of identities to obtain access to one or more access-controlled network resources; 
generating an intermediate value based on the data associated with a selected group of the plurality of authentication credentials; 
generating, based on application of a secret logic algorithm to the intermediate value
making available, the secret data element, to be embedded in a first authentication credential of the plurality of authentication credentials; 
identifying an attempt to change the first authentication credential, the attempt including new authentication credential data to replace data in the first authentication credential; 
validating, conditional on a determination whether the new authentication credential data includes the secret data element in a predefined location, the attempt to change the first authentication credential; and 
determining, based on the validating, whether to perform a control action based on the new authentication credential data.  

2. (Original) The non-transitory computer readable medium of claim 1, wherein the data associated with the plurality of authentication credentials includes a plurality of hashes indicative of passwords associated with the plurality of identities.  

3. (Original) The non-transitory computer readable medium of claim 1, wherein the data associated with the plurality of authentication credentials includes data derived from passwords associated with the plurality of identities.  

4. (Original) The non-transitory computer readable medium of claim 1, wherein the data associated with the plurality of authentication credentials includes a plurality of hashes of authentication keys.  

5. (Original) The non-transitory computer readable medium of claim 1, wherein the data associated with the plurality of authentication credentials is maintained in a common ledger, the common ledger storing updates to the plurality of authentication credentials.  

6. (Previously Presented) The non-transitory computer readable medium of claim 1, wherein generating the secret data element includes performing a tree hashing function to the data associated with the selected group of the plurality of authentication credentials.  

7. (Previously Presented) The non-transitory computer readable medium of claim 1, wherein generating the secret data element includes concatenating two or more elements of the data associated with the selected group of the plurality of authentication credentials and performing a hashing function on the concatenated data elements.  

8. (Previously Presented) The non-transitory computer readable medium of claim 1, wherein generating the secret data element includes performing a summation function 

9. (Original) The non-transitory computer readable medium of claim 1, wherein the control action includes rejecting the new authentication credential data.  

10. (Original) The non-transitory computer readable medium of claim 1, wherein the control action includes generating an alert identifying the new authentication credential data.  

11. (Original) The non-transitory computer readable medium of claim 1, wherein the control action includes disabling network access for an identity associated with the new authentication credential data.  

12. (Original) The non-transitory computer readable medium of claim 1, wherein the control action includes monitoring activity of an identity associated with the new authentication credential data.  

13. (Original) The non-transitory computer readable medium of claim 1, wherein the control action includes registering the new authentication credential data in a credential repository that securely maintains the data associated with the plurality of authentication credentials.  

14. (Currently Amended) A computer-implemented method, executed by one or more hardware processors, for controlling changes to authentication credentials, the method comprising: 

generating, by the one or more hardware processors, an intermediate value based on the data associated with a selected group of the plurality of authentication credentials; 
generating, based on application of a secret logic algorithm to the intermediate value
making available, the secret data element, to be embedded in a first authentication credential of the plurality of authentication credentials; 
identifying an attempt to change the first authentication credential, the attempt including new authentication credential data to replace data in the first authentication credential; 
validating, conditional on a determination whether the new authentication credential data includes the secret data element in a predefined location, the attempt to change the first authentication credential; and 
determining, based on the validating, whether to perform a control action based on the new authentication credential data.  

15. (Original) The computer-implemented method of claim 14, wherein the method is performed by an agent on a domain controller in communication with a secure credentials repository that securely maintains the data associated with the plurality of authentication credentials.  

16. (Original) The computer-implemented method of claim 14, wherein the method is performed by an agent on the one or more access-controlled network resources.  

17. (Original) The computer-implemented method of claim 14, wherein the method is performed by a system that securely maintains the data associated with the plurality of authentication credentials.  

18. (Original) The computer-implemented method of claim 14, wherein the method is performed by a system remote from a secure credentials repository that securely maintains the data associated with the plurality of authentication credentials.  

19. (Cancelled).

20. (Previously Presented) The computer-implemented method of claim 14, wherein generating the secret data element, comprises generating a plurality of secret data elements.  

21. (Original) The computer-implemented method of claim 20, wherein each of the plurality of secret data elements are distinct and are uniquely associated with each of the plurality of authentication credentials.  

22. (Original) The computer-implemented method of claim 14, wherein the secret data element includes a randomized data portion.  

23. (Original) The computer-implemented method of claim 14, wherein the secret data element is made available together with a randomized data portion.  

24. (Currently Amended) A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations for controlling use of authentication credentials, the operations comprising: 
securely maintaining data associated with a plurality of authentication credentials, the plurality of authentication credentials being useable by a plurality of identities to obtain access to one or more access-controlled network resources; 
generating an intermediate value based on the data associated with a selected group of the plurality of authentication credentials; 
generating, based on application of a secret logic algorithm to the intermediate value
making available, the secret data element, to be embedded in a first authentication credential of the plurality of authentication credentials; 
identifying an attempted privileged access session, the attempted privileged access session including an attempted use of a second authentication credential, wherein the attempted privileged access session includes an attempt by an identity to access an access-restricted network resource; 
determining whether the second authentication credential includes the secret data element in a predefined location; and
determining, based on whether the second authentication credential includes the secret data element, whether to perform a control action based on the attempted privileged access session.  

25. (Cancelled).  

26. (Currently Amended) The non-transitory computer readable medium of claim [[25]] 24, wherein the attempted use of the second authentication credential includes the identity providing the second authentication credential to be authenticated.  

27. (Currently Amended) The non-transitory computer readable medium of claim [[25]] 24, wherein the attempted use of the second authentication credential includes the identity attempting to access the second authentication credential from a secure storage resource to be authenticated.

Allowable Subject Matter
The following is an examiner’s statement of reasons for allowance: 
After further search and consideration, the claims 1-18, 20-24 and 26-27 are allowed over the cited prior art(s) of record. 
The following references/prior arts disclose the general subject matter recited in the independent claims 1, 14 and 24 before/after the current amendment is made and/or submitted.
A.	Truskovsky; Alexander et al. (US 9,088,556 B2), discloses that a keyring (such as credential store and/or password store) may allow for the secure storage of data Such as usernames, passwords, cryptographic (e.g. encryption) keys, access codes, digital certificates, and other secure data items, for multiple applications and services, typically by storing the data in encrypted form. Where the each of the credentials accessed within the period is associated with a 
B.	Finlow-Bates; Keir (US 2020/0052899 A1), discloses that the salt may be derived by applying a one-way function, for example a cryptographic hash function, to some or all of data included in the most recent block. Wherein, the derived salt may be concatenated with a master password (MPWD), using a concatenation function 106, to produce a concatenation (i.e., new password), in order to determine the validity of the new password.
C.	Correl; Stephen F. et al. (US 8,056,123 B2), discloses to compute and/or derive a service secret, which is only good for a limited time, in conjunction with the user authentication and authorization credentials. Thereafter, the computed service secret is combined with a user-supplied password. A user or service person provides a userID and (new) password to the system. The system tests the (new) password supplied by the user or service person for the presence of the service secret by determining validity of the service secret within the new password, wherein said service Secret is an authentication element separate from the presented password that in combination with the password provides access to a service function of said computer system. In one embodiment, the 
D.	Chen; Abraham T. (US 2018/0337957 A1), discloses that the maintained information 835 related to and identifying each credential of the plurality of credentials can comprises information identifying individual certificates such as values for at least one of the one or more attributes of each certificate. Additionally or alternatively, the information 835 can comprise information identifying the plurality of certificates in the aggregate. For example, the information 835 can comprise information representing the aggregated data set comprising the certificates, e.g., a hash value generated by applying a hash function to the plurality of certificates. Further, by using the maintained information 835 identifying the certificates, the certificate monitoring component 830 can perform one or more checks on the credentials. The one or more checks can be performed by the certificate monitoring component 830 upon a system boot, periodically, or based on satisfaction of a condition defined in a rule. The checks can comprise one or more checks on the plurality of credentials together and/or one or more checks on each credential individually.
E.	Schneider; James Paul (US 2009/0327740 A1), the present invention relates to securing a password database. In one embodiment, username encryption engine 212 combines the username with a salt value and computes the combined user name and salt value using a hashing algorithm. Wherein, the 
F.	Moen; Daniel G et al. (US 2019/0007428 A1), the disclosure provides techniques for detecting compromised credentials in a credential stuffing attack. Such as, for each credential in the set of credentials, the module may do the following: generate a salt based on the username in the credential(s). Wherein, the username in the set of credentials may be associated with multiple credentials having different passwords (i.e., a first credential and a second credential, both of which include the same username, but different passwords).
G.	Alvaro Madero (Password Secured Systems and Negative authentication; June 2013), this thesis presents the state of the practice in password systems and introduces work in negative authentication and its implementations. Such as by implementing hashing on a password database, the entries in the database contain the digests for the passwords and the plain-text passwords should not be stored anywhere. When a user needs to authenticate, the password that he supplies will be hashed using the same algorithm that the database used. The resulting digest is compared to the one stored and if they match, the user is allowed access. In cryptography a salt represents a set of data added to the 
H.	SPILMAN; Jeremy (US 2014/0032922 A1), discloses a blind hashing system and method are provided in which blind hashing is used for data encryption and secure data storage such as in password authentication, symmetric key encryption, revocable encryption keys, etc. The system and method include using a hash function output (digest) as an index or pointer into a huge block of random data, extracting a value from the indexed location within the random data block, using that value to salt the original password or message, and then hashing it to produce a second digest that is used to verify the password or message, encrypt or decrypt a document, and so on. A different hash function can be used at each stage in the process. The blind hashing algorithm typical runs on a dedicated server and only sees the digest and never sees the password, message, key, or the salt used to generate the digest.
I.	See the other cited prior arts.
However, the above prior arts of record including the rest of the cited prior arts either taken alone or in combination neither anticipates nor renders obvious the claimed subject matter of the instant application that is taken as a whole recited in the independent claims 1, 14 and 24. 

The dependent claims 2-13, 15-18, 20-23 and 26-27 which are dependent on the above independent claim(s) being further limiting to the independent claims, definite and enabled by the specification are also allowed.
Furthermore, the applicant’s replies make evident the reasons for allowance, satisfying the “record as a whole” proviso of the rule 37 CFR 1.104(e). The grounds of claim rejection was reconsidered and withdrawn based on the substance of applicant’s amendments, remarks and arguments (see arguments/remarks, filed on 07/13/2021, pages 10-13), as such the reasons for allowance are in all probability evident from the record.	
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submission should be clearly labeled “Comments on Statement of Reasons for Allowance.” In event of any post-allowance papers (e.g. IDS, 312 amendment, petition, etc.), Applicant is exhorted to mail papers to the Production Control Branch in Publications or faxed to post-allowance papers correspondence branch at (703) 308-5864 to expedite issuing process or call PUB’s Customer service if any questions at (703) 305-8497.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ALI CHEEMA, whose contact number is 571-272-1239. The examiner can normally be reached on Mon-Fri: 8AM – 4PM. 

Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free).If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

/ALI CHEEMA/
Examiner, Art Unit 2433	

/SAMSON B LEMMA/Primary Examiner, Art Unit 2498