DETAILED ACTION
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claim Objections
Claim 9 is objected to because of the following informalities:  
Claim 9, line 1, “form” should read “from”
Claim 16, line 1, “claim 16” should read “claim 14”
Appropriate correction is required.
Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 1-20 are rejected under 35 U.S.C. 101 because 
the claimed invention is directed to one of the four statutory categories without significantly more. Claim 1, 6 and 14 recite a method of preventing lockouts in case of multiple attempts of using wrong passwords. Even though the claimed invention falls under one of the four statutory categories, the claims directed to an abstract idea, thus considered as a “judicial exception”.  This judicial exception is not integrated into a practical application because a person without the use of any technology or computer or machine would be able to perform these limitations. The claim(s) does/do not include additional elements that are sufficient to amount to significantly more than the judicial exception because the limitations of the claim recite the abstract idea where a person can choose to perform certain task for a limited number of time having the option/reminder not to repeat the same task again. The limitations are mere instructions to implement this abstract idea on a computer, or merely uses a computer as a tool to 

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.

Claims 1, 2, 4 and 5 are rejected under 35 U.S.C. 102(a)(1) as being anticipated by Kerametlian et al. (US 20170208075 A1) hereinafter Kerametlian.
Regarding claim 1, Kerametlian teaches a method, comprising: determining that a received first password for a user account is not valid for the user account (Kerametlian: [0031] provides a step 204 which determines that a first bad (invalid) password in received for the user account);
in response to determining that the first password is not valid, incrementing a lockout counter associated with the user account (Kerametlian: [0026] provides for the evaluation of the password and increments a lockout counter if the first password is not valid);
determining that a received second password for the user account is the same as the first password (Kerametlian: [0026] provides a list containing incorrect password’s hash and 
in response to determining that the second password is the same as the first password, preventing incrementing of the lockout counter (Kerametlian: [0026] provides an authentication method where if the password used in incorrect, the password system first checks its hash against the list of previous incorrect password. If the list contains the incorrect password’s hash, then the password system will not increment any lockout counter).
Regarding claim 2, Kerametlian teaches the method of claim1, determining that a received third password for the user account is different than the first password, and that the third password is not valid for the user account (Kerametlian [0031] provides for an authentication step 204 in Fig. 2 to determine that the received password is bad (not valid) and also determines that if the current bad password is not on the list of previously received bad passwords, then the password is different);
in response to determining that the third password is not valid, incrementing the lockout counter (Kerametlian [0031] provides for an updated list of previously received bad password in step 211 (Fig. 2) and increments the lockout counter);
determining that a received fourth password for the user account is the same as one of the first password or the third password (Kerametlian [0031] teaches that when a bad password was received, then the process moves to step 209 (Fig. 2) and determines if the bad password is in the list of previously received bad passwords. If the current bad password is already on the list of previously received bad passwords, then the process moves to step 210 (Fig. 2) and returns a “bad password” output in response to the authentication request) ; and

Regarding claim 4, Kerametlian teaches the method of claim 1, wherein determining that the first password is not valid comprises: sending data representative of the first password to an authentication device (Kerametlian: [0031] if it is determined in step 204 that a bad password was received which provides the authentication device); and
receiving, from the authentication device, data indicating that the first password is not valid (Kerametlian: [0065] provides a system comprising system comprising an interface configured to receive an authentication request with an incorrect credential and determines that the password is not valid).
Regarding claim 5, Kerametlian teaches the method of claim 1, wherein incrementing the lockout counter comprises sending data representative of the first password to an authentication device to cause the authentication device to increment the lockout counter, the lockout counter being controlled by the authentication device (Kerametlian: [0065] provides an interface configured to receive an authentication request with an incorrect credential and increase the lockout counter which is controlled by the authentication device); and
wherein preventing incrementing of the lockout counter comprises avoiding sending data representative of the second password to the authentication device (Kerametlian: [0031] provides a process in step 204 when a bad password was received, then the process moves to 

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 3 is rejected under 35 U.S.C. 103 as being unpatentable over Kerametlian (US 20170208075 A1), in view of Kirsch (US 20130198834 A1). 
Regarding claim 3, Kerametlian teaches the method of claim 2, further comprising performing a first salted hash on the first password to generate a first salted hashed password; storing the first salted hashed password and a first salt value for the first salted hashed password; performing a second salted hash on the third password to generate a second salted hashed password; storing the second salted hashed password and a second salt value for the second salted hashed password; (Kerametlian: [0010] discusses performing hashes for the incorrect passwords and recording the hashed passwords in a list);
wherein determining that the fourth password is the same as one of the first password or the third password comprises (Kerametlian: [0031] provides for the process to move to step 209 (Fig. 2) and determines if the bad password is in the list of previously received bad passwords. If the current bad password is already on the list of previously received bad passwords, then the 
performing a third salted hash on the fourth password using the first salt value to generate a third salted hashed password; performing a fourth salted hash on the fourth password using the second salt value to generate a fourth salted hashed password; and determining that one of the third salted hashed password is the same as the first salted hashed password or the fourth salted hashed password is the same as the second salted hashed password (Kerametlian: [0026] provides for the authentication process that if the password used is incorrect the password system first checks its hash against the account's list. If the incorrect password’s hash is on the list, which provides the hashed password is same as one of previous hashed password stored in the list);
However, Kerametlian does not teach about using a salt value by adding random numbers to the hash to hide its real hash value. Kirsch teaches about using salted hashed passwords (Kirsch: [0017] provides for passcode guesses which may comprise a hash of the salted password). 
Kerametlian and Kirsch are both considered to be analogous to the claimed invention because they are in the same field of encryption using hashes. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Kerametian to incorporate the teachings of Kirsch and provide a salted hashed password for the authentication process. Doing so would aid in providing uniqueness to the hashing process and increasing the complexity without increasing user requirements and mitigating password attacks like hash table.
Claims 6-9, 12-16 and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over Kerametlian (US 20170208075 A1), in view of Japtap (US 20150199500 A1) and Perlman (US 10819700 B1).
Regarding claim 6, Kerametlian teaches a server operating to provide a service for multiple service providers, the server comprising: a memory storing an attempt table (Kermetlian: [0024] [0024] provides a list of previously seen bad password hashes for each user may be stored in a cache or other storage); and
a processor implemented in circuitry and configured to: in response to receiving a first password for a user account, forward the first password to an authentication device (Kerametlian: [0019] provides for the users to input a password in an authentication request to access server or an application. Server 103 provides a smart password system to control user access. The smart password system may be, for example, an application executing on processor 105);
determine that the first password is not valid for the user account; store data representative of the first password in association with the user account in the attempt table (Kerametlian: [0031] provides if it is determined in step 204 that a bad password was received, Alternatively, if the current bad password is not on the list of previously received bad passwords, then the process moves to step 211 and adds the current bad password to the list of previously received bad passwords);
Kerametlian does not teach about a single sign on service. Jagtap teaches this limitation (Jagtap: [0010] provides for an interface through which each user can manage his own password, which he can use for single sign-on purposes.) 
Kerametlian and Jagtap are both considered to be analogous to the claimed invention because they are in the same field of authentication methods. Therefore, it would have been obvious to 
Kerametlian does not teach about determining whether the second password matches the first password; and when they do not match, forward the second password to the authentication device.
Perlman teaches this limitation where the comparison of the first and second passwords is done and in case they do not match, the second password is sent to the authentication device (Perlman: [30] provides such operations which are illustratively performed by the password processing module 126, which is configured to compare passwords entered by a user against the corresponding incorrect password history stored in the incorrect password histories database 116, before those passwords are submitted by the client device 105 to at least one of the authentication servers). 
Kerametlian and Perlman are both considered to be analogous to the claimed invention because they are in the same field of authentication methods. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Kerametian to incorporate the teachings of Perlman and provide a comparison module to compare the incoming passwords with the previously stored incorrect ones before sending the incoming password to the authentication device when they don’t match. Doing so would aid in providing an efficient way to use the authentication device for password verification and saving extra processing power to evaluate every password by the authentication device.

Regarding claim 7, Kerametlian teaches the server of claim 6, wherein the processor of the server is further configured to: in response to storing the first password in association with the user account in the attempt table, start a timer; when the timer expires, delete the first password from the attempt table (Kerametlian: [0025] teaches that the bad password cache items may be set to expire periodically, such as after 24 hours).
Regarding claim 15, this claim contains the same limitations as claim 7 for a non-transitory computer readable medium, and is rejected under the same rationale.
Regarding claim 8, Kerametlian teaches the server of claim 7, wherein the processor of the server is further configured to, in response to receiving, after the timer has expired, a third password for the user account that matches the first password, forward the third password to an authentication device (Kerametline: [0025] teaches that the first password cache items may be set to expire periodically which provides for a third password for the user account that matches the first password (already deleted from the list) to be forwarded to the authentication device).
Regarding claim 16, this claim contains the same limitations as claim 8 for a non-transitory computer readable medium, and is rejected under the same rationale.
Regarding claim 9, Kerametlian teaches the server of claim 6, wherein the first password originates from a first user device and the second password originates from a second user device (Kerametlian: [0019] provides FIG. 1 which is a block diagram of a system employing a smart password system according to an example embodiment. Users at devices 101, 102 access applications on server 103 via network 104 using passwords)

 Perlman teaches this limitation where the comparison of the third and first passwords is done and in case they do not match, the third password is sent to the authentication device (Perlman: [30] provides such operations which are illustratively performed by the password processing module 126, which is configured to compare passwords entered by a user against the corresponding incorrect password history stored in the incorrect password histories database 116, before those passwords are submitted by the client device 105 to at least one of the authentication servers). 
Kerametlian further teaches determining that the third password is not valid for the user account; and storing the third password in association with the user account in the attempt table (Kerametlian [0031] provides for an updated list (attempt table) of previously received bad password in step 211 (Fig. 2) by adding the latest invalid password and increments the lockout counter);
Kerametlian and Perlman are both considered to be analogous to the claimed invention because they are in the same field of authentication methods. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Kerametian to incorporate the teachings of Perlman and provide a comparison module to compare the incoming passwords with the previously stored incorrect ones before sending the incoming password to the authentication device when they don’t match. 
Regarding claim 19, this claim contains the same limitations as claim 12 for a non-transitory computer readable medium, and is rejected under the same rationale.
Regarding claim 13, Kerametlian does not teach about determining whether the fourth password matches the first or third password; and when they do not match, forward the fourth password to the authentication device.
Perlman teaches this limitation where the comparison of the fourth with first and second passwords are done and in case they do not match, the fourth password is sent to the authentication device (Perlman: [30] provides such operations which are illustratively performed by the password processing module 126, which is configured to compare passwords entered by a user against the corresponding incorrect password history stored in the incorrect password histories database 116, before those passwords are submitted by the client device 105 to at least one of the authentication servers). 
Kerametlian and Perlman are both considered to be analogous to the claimed invention because they are in the same field of authentication methods. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Kerametian to incorporate the teachings of Perlman and provide a comparison module to compare the incoming passwords with the previously stored incorrect ones before sending the incoming password to the authentication device when they don’t match. Doing so would aid in providing an efficient way to use the authentication device for password 
Regarding claim 20, this claim contains the same limitations as claim 13 for a non-transitory computer readable medium, and is rejected under the same rationale.
Claims 10, 11, 17 and 18 are rejected under 35 U.S.C. 103 as being unpatentable over Kerametlian (US 20170208075 A1), in view of Japtap (US 20150199500 A1), Perlman (US 10819700 B1) and Kirsch (US 20130198834 A1).
Regarding claim 10, Kerametlian teaches the server of claim 6, wherein to store the first password in association with the user account in the attempt table further comprises, the processor of the server is further configured to: generate a first hash of the first password with a first salt value; and store the first hash and the first salt value in association with the user account in the attempt table (Kerametlian: [0010] discusses performing hashes for the incorrect passwords and recording the hashed passwords in a list which provides for the attempt table);
However, Kerametlian does not teach about using a salt value by adding random numbers to the hash to hide its real hash value. Kirsch teaches about using salted hashed passwords (Kirsch: [0017] provides for passcode guesses which may comprise a hash of the salted password). 
Kerametlian and Kirsch are both considered to be analogous to the claimed invention because they are in the same field of encryption using hashes. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Kerametian to incorporate the teachings of Kirsch and provide a salted hashed password for the authentication process. Doing so would aid in providing uniqueness to the hashing process and increasing the complexity without increasing user requirements and mitigating password attacks like hash table.

Regarding claim 11, Kerametlian teaches the server of claim 10, wherein to determine whether the second password matches the first password, the processor of the server is further configured to: generate a second hash of the second password with the first salt value; and determine that the second password matches the first password when the second hash matches the first hash (Kerametlian: [0026] provides for the authentication process that if the password used is incorrect the password system first checks its hash against the account's list. If the incorrect password’s hash is on the list, which provides the hashed password is same as one of previous hashed password stored in the list);
However, Kerametlian does not teach about using a salt value by adding random numbers to the hash to hide its real hash value. Kirsch teaches about using salted hashed passwords (Kirsch: [0017] provides for passcode guesses which may comprise a hash of the salted password). 
Kerametlian and Kirsch are both considered to be analogous to the claimed invention because they are in the same field of encryption using hashes. Therefore, it would have been obvious to someone of ordinary skill in the art before the effective filing date of the claimed invention to have modified Kerametian to incorporate the teachings of Kirsch and provide a salted hashed password for the authentication process. Doing so would aid in providing uniqueness to the hashing process and increasing the complexity without increasing user requirements and mitigating password attacks like hash table.
Regarding claim 18, this claim contains the same limitations as claim 11 for a non-transitory computer readable medium, and is rejected under the same rationale.

Citation of Pertinent Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure
Popoveniuc et al (US 8490162 B1) teaches a system and method for recognizing malicious credential guessing attacks.
Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to YASMIN JAHIR whose telephone number is (571)272-0346.  The examiner can normally be reached on Mon-Fri 9:00-5:00 PM.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor Jeffrey Nickerson can be reached on (469)295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to 

/Jeffrey Nickerson/Supervisory Patent Examiner, Art Unit 2432                                                                                                                                                                                                        



/Y.J./Examiner, Art Unit 2432