Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees. A nonstatutory double patenting rejection is appropriate where the conflicting claims are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on nonstatutory double patenting provided the reference application or patent either is shown to be commonly owned with the examined application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. See MPEP § 717.02 for applications subject to examination under the first inventor to file et seq. for applications not subject to examination under the first inventor to file provisions of the AIA . A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b). 
The USPTO Internet website contains terminal disclaimer forms which may be used. Please visit www.uspto.gov/patent/patents-forms. The filing date of the application in which the form is filed determines what form (e.g., PTO/SB/25, PTO/SB/26, PTO/AIA /25, or PTO/AIA /26) should be used. A web-based eTerminal Disclaimer may be filled out completely online using web-screens. An eTerminal Disclaimer that meets all requirements is auto-processed and approved immediately upon submission. For more information about eTerminal Disclaimers, refer to www.uspto.gov/patents/process/file/efs/guidance/eTD-info-I.jsp.
Claims 1-22 are rejected on the ground of nonstatutory double patenting as being unpatentable over claims 1-18 of U.S. Patent No. 10,783,238. Although the claims at issue are not identical, they are not patentably distinct from each other because claims 1-18 of the ‘238 patent fully anticipate the scope of respective claims 1-22 of the instant application.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.

Claims 2 and 12 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor, or for pre-AIA  the applicant regards as the invention.
The terms "common" and “popular” in claims and 12 are relative terms which render the claim indefinite.  The terms “common" and “popular” is not defined by the claim, the specification does not provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be reasonably apprised of the scope of the invention.  The examiner notes that because what is considered “common” or “popular” with respect to a “set of third party applications or sties” frequently changes, as well as different consumers in different markets viewing what is “common” or “popular” uniquely from each other, renders the scope of these terms indefinite.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.

Claims 20-22 are rejected under 35 U.S.C. 101 because the claimed invention is directed to non-statutory subject matter.  The claim(s) does/do not fall within at least one of the four categories of patent eligible subject matter because claim 20 is directed to solely software. For example, claim 20 recites “Software-as-a-service system” that comprises “a network-accessible cloud service having a data repository” and “a browser plug-in or add-in configured to be executed in an end user computing system” which are all considered software elements. Given the absence of any positive hardware 
Software (functional descriptive material) per se not claimed as embodied/encoded in a non-transitory computer-readable media or a hardware device is considered not statutory. Software by itself is not capable of causing functional change in the computer (transform underlying claimed subject matter to a different state or thing), nor machine (not tied to another statutory class, such as a particular apparatus), and is therefore not statutory. The examiner suggests Applicant either amend claim 20 to positively recite a hardware device or to implement the software on a “non-transitory computer-readable medium” in order to overcome this rejection.

Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1-4, 10-14, 20, and 21 is/are rejected under 35 U.S.C. 103 as being unpatentable over “Cavanagh” (US 9824208) in view of “Banerjee” (US 2016/0212141).

Regarding Claim 1:
Cavanagh teaches:
A method to automate password changes in a password management service (Abstract, “… periodically generating and managing passwords for one or more websites … automatically replace their old passwords with new passwords for their one or more website accounts”), comprising:
responsive to a determination that automated password changes are authorized (Col. 4, lines 33-35, “A user can create a set of rules on the cloud based active password manager to automatically change passwords for each of the user’s one or more website accounts. For example, the set of rules may include a pre-determined time frequency setting indicating an interval or period at which the passwords of the users’ one or more websites or network accounts should be automatically updated”), initiating 5a data mining session (Col. 5, lines 26-30, “… the password manager may implement a learning algorithm that may be used to update the password manager’s rules, used for generating replacement passwords. The learning algorithm may employ web parser software…”);
5within the data mining session, identifying a set of third party applications or sites (Col. 5, lines 29-35, “The learning algorithm may employ web parser software to identity elements of webpages … which the password manager may then use to identify, e.g., the website’s password requirements and security behaviors”; i.e., while executing the learning algorithm, identify a website’s password requirements or security behaviors); 
responsive to receipt of a password reset flow authorization (Col. 5, lines 49-59, “… a user-capture learning algorithm, the user may be prompted to change the password for a given website or network account for a first time, and then the user-capture learning algorithm saves the step-by-step procedure performed by the user to successfully change the password of the given website or network account”), automatically initiating a password reset flow to one or more of the third party applications or sites (Col. 5, lines 36-39, “Thereafter, the data on the web page is parsed and matched with various pre-stored keywords to identify … a change password fields such as … “reset password”; i.e., a user provides authorization to conduct a password reset by virtue of providing a step-by-step procedure on how to conduct a password reset for a specific website so that a password manager may automatically conduct future password resets in accordance to a policy); 
…
Cavanagh does not disclose:
within the data mining session, and for each of the one or more third party applications or 10sites, determining whether a password reset confirmation link has been received; and
10responsive to a determination that a password reset confirmation link has been received for a given third party application or site, using the password reset confirmation link to perform an automated password reset and thereby obtain a new user password.
Banerjee teaches:
“For example, the credential management … platform can automatically locate the confirmation email sent by the resource and parse the email to obtain a confirmation…”) and for each of the one or more third party applications or 10sites, determining whether a password reset confirmation link has been received (¶0091, “In some embodiments, the credential management … platform can access the email for the end client in order to intercept email messages sent by a resource to the end client confirming the reset request”); and
10responsive to a determination that a password reset confirmation link has been received for a given third party application or site, using the password reset confirmation link to perform an automated password reset and thereby obtain a new user password (¶0091, “For example, the credential management … platform can automatically locate the confirmation email sent by the resource and parse the email to obtain a confirmation and/or otherwise take action (simulate mouse-click, visit page link in the email, etc.) to confirm the email reset”).
	Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Cavanagh’s cloud-based password manager by enhancing Cavanagh’s password manager to parse e-mails containing password reset confirmation links and to perform an automated password reset via the confirmation link, as taught by Banerjee, in order to create an automated password manager that is invisible to a user.
	The motivation is to enhance a password manager that periodically updates passwords by allowing the password manager to automatically access e-mails containing password reset confirmation links in order to fully automate a password 

Regarding Claim 2:
The method as described in claim 1 wherein Cavanagh in view of Banerjee further teaches the set of third party applications or sites are identified from one of: a user e-mail in-box, a browser history, and a list of common or popular third party applications or sites (Cavanagh, Col. 9, lines 53-57; Col. 17, lines 1-3 & 29-32, “In one example of the exemplary embodiment, the user may want to include the login credentials for a Facebook® account and a Bank of America® account” & “At step 306, record user’s one or more websites list”; i.e., identify websites on a user’s website list in which to update passwords for, the websites including Facebook and Bank of America which are widely considered common or popular third party sites).

Regarding Claim 3:
The method as described in claim 1 wherein Cavanagh in view of Banerjee further teaches a data mining session is initiated with 20at least one email provider associated with the user (Banerjee, ¶0026, “The password requirement criteria can also indicate use of a password verification system 170, e.g., email platform where a resource sends password modification verifications. In some embodiments, the credential management (ZPL) platform 140 can access the email for the end client in order to intercept email messages sent by a resource to the end client confirming the reset request”; ¶0091, “As discussed above, the password requirement criteria can indicate use of a password verification system, such as, for example, an email platform where the resource sends a password modification verification or confirmation. In some embodiments, the credential management system … platform can access the email for the end client in order to intercept email messages by a resource to the end client confirming the reset request. For example, the credential management … platform can automatically locate the confirmation email sent by the resource and parse the email to obtain a confirmation and/or otherwise take action…”; initiate the parsing of an email by virtue of the email being received at an email provider platform)20.
The motivation to reject claim 3 under Banerjee is the same motivation used to combine Banerjee with Cavanagh in the rejection of claim 1 above.

Regarding Claim 4:
The method as described in claim 1 wherein Cavanagh in view of Banerjee further teaches the password reset confirmation link is provided to a browser plug-in or add-on (Banerjee, ¶0091, “For example, the credential management … platform can automatically locate the confirmation email sent by the resource and parse the email to obtain a confirmation and/or otherwise take action (simulate mouse-click, visit page link in the email, etc.) to confirm the email reset”) to facilitate the automated password reset from the browser plug-in or add-on (Cavanagh, Col. 14, lines 30-33, “Thus, in summary, when the user uses the cloud based adaptive password manager that may employ a portable client device 110a plug-in or a software based client device 110b browser plug-in on the host computer 108”).
The motivation to reject claim 4 under Banerjee is the same motivation used to combine Banerjee with Cavanagh in the rejection of claim 1 above.

Regarding Claim 10:
The method as described in claim 1 wherein Cavanagh in view of Banerjee further teaches the user is a mobile device user (Banerjee, Figure 1, elements 105 and 112).
The motivation to reject claim 10 under Banerjee is the same motivation used to combine Banerjee with Cavanagh in the rejection of claim 1 above.

Regarding Claims 11-14:
Apparatus claims 11-14 correspond to respective method claims 1-4 and contain no further limitations. Therefore claims 11-14 are rejected by applying the same respective rationale used to reject claims 1-4 above.

Regarding Claim 20:
Cavanagh teaches:
Software-as-a-service system for password change management (Col. 2, lines 23-29, “… provide a cloud based active password manager … providing users the ability to automatically update the passwords of each of the their one or more website accounts”), comprising: 
“… the cloud based active password manager system 100 comprises a … password management database 104”); and 
a browser plug-in or add-in configured to be executed in an end user computing system distinct from the network-accessible cloud service (Col. 12, lines 20-22, “… the user uses the host computer 108 and initiates a request to execute the password manager application via a web browser on the internet”);5 
the network-accessible cloud service operative in response to a determination that automated password changes are authorized (Col. 4, lines 33-35, “A user can create a set of rules on the cloud based active password manager to automatically change passwords for each of the user’s one or more website accounts. For example, the set of rules may include a pre-determined time frequency setting indicating an interval or period at which the passwords of the users’ one or more websites or network accounts should be automatically updated”):
to initiate a data mining session (Col. 5, lines 26-30, “… the password manager may implement a learning algorithm that may be used to update the password manager’s rules, used for generating replacement passwords. The learning algorithm may employ web parser software…”); 
within the data mining session, to identify a set of third party applications or sites (Col. 5, lines 29-35, “The learning algorithm may employ web parser software to identity elements of webpages … which the password manager may then use to identify, e.g., the website’s password requirements and security behaviors”; i.e., while executing the learning algorithm, identify a website’s password requirements or security behaviors); 
in response to receipt of a password receipt flow authorization (Col. 5, lines 49-59, “… a user-capture learning algorithm, the user may be prompted to change the password for a given website or network account for a first time, and then the user-capture learning algorithm saves the step-by-step procedure performed by the user to successfully change the password of the given website or network account”), to initiate a 10password reset flow to one or more of the third party applications or sites (Col. 5, lines 36-39, “Thereafter, the data on the web page is parsed and matched with various pre-stored keywords to identify … a change password fields such as … “reset password”; i.e., a user provides authorization to conduct a password reset by virtue of providing a step-by-step procedure on how to conduct a password reset for a specific website so that a password manager may automatically conduct future password resets in accordance to a policy);
	…
Cavanagh does not disclose:
within the data mining session, and for each of the one or more third party applications or sites, to determine whether a password reset confirmation link has been received; and 
in response to a determination that a password reset confirmation link has been 15received for a given third party application or site, providing the password reset confirmation link to the browser plug-in or add-in.15 
Banerjee teaches:
within the data mining session (¶0091, “For example, the credential management … platform can automatically locate the confirmation email sent by the resource and parse the email to obtain a confirmation…”) and for each of the one or more third party applications or 10sites, determining whether a password reset confirmation link has been received (¶0091, “In some embodiments, the credential management … platform can access the email for the end client in order to intercept email messages sent by a resource to the end client confirming the reset request”); and
10iin respoiin response to a determination that a password reset confirmation link has been received for a given third party application or site, providing the password reset confirmation link to the browser plug-in or add-in (¶0091, “For example, the credential management … platform can automatically locate the confirmation email sent by the resource and parse the email to obtain a confirmation and/or otherwise take action (simulate mouse-click, visit page link in the email, etc.) to confirm the email reset”).
	Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Cavanagh’s cloud-based password manager by enhancing Cavanagh’s password manager to parse e-mails containing password reset confirmation links and to perform an automated password reset via the confirmation link using a browser add-in, as taught by Banerjee, in order to create an automated password manager that is invisible to a user.
	The motivation is to enhance a password manager that periodically updates passwords by allowing the password manager to automatically access e-mails containing password reset confirmation links in order to fully automate a password 

Regarding Claim 21:
The system as described in claim 20 wherein Cavanagh in view of Banerjee further teaches the browser plug-in or add-in uses the password reset confirmation link to obtain a new user password for the application or site (Banerjee, ¶0091, “For example, the credential management … platform can automatically locate the confirmation email sent by the resource and parse the email to obtain a confirmation and/or otherwise take action (simulate mouse-click, visit page link in the email, etc.) to confirm the email reset”).
The motivation to reject claim 21 under Banerjee is the same motivation used to combine Banerjee with Cavanagh in the rejection of claim 20 above.

Claims 5-9, 15-19, and 22 is/are rejected under 35 U.S.C. 103 as being unpatentable over “Cavanagh” (US 9824208) in view of “Banerjee” (US 2016/0212141) in further view of “Bingell” (US 2014/0040456).

Regarding Claim 5:
Cavanagh in view of Banerjee teaches:
The method as described in claim 1 …
Cavanagh in view of Banerjee does not disclose:
… further including storing the new user passwords in a password management vault associated with the user.
Bingell teaches:
… further including storing the new user passwords in a password management vault associated with the user (Fig. 5A; ¶0045, “The password vault of FIG. 5A may be encrypted for security purposes by the vault manager to protect the passwords stored therein … The userid 515, password 520 and email address 525 are used for accessing the website account and are stored for access by the user as needed and may be provided automatically by the website registration manager when the user attempts to log into the website account”).	
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Cavanagh in view of Banerjee’s cloud-based password manager by enhancing Cavanagh in view of Banerjee’s password manager to securely store passwords in an encrypted vault, as taught by Bingell, in order to prevent unauthorized parties from obtaining the passwords.
	The motivation is to store a user’s passwords at a password manager in a secure fashion by encrypting the passwords within a password vault.

Regarding Claim 6:
Cavanagh in view of Banerjee teaches:
The method as described in claim 1 further including:
	…
“… a user-capture learning algorithm, the user may be prompted to change the password for a given website or network account for a first time, and then the user-capture learning algorithm saves the step-by-step procedure performed by the user to successfully change the password of the given website or network account”).
Cavanagh in view of Banerjee does not disclose:
exposing at least one third party application or site to a user as a potential candidate for password reset; and5 
Bingell teaches:
exposing at least one third party application or site (Fig. 6, steps 600, 610, and 620; ¶0052, “In a first step 600, it is determined whether a login or registration to a website account has been detected … a user may press a function key … to notify the website registration manager that the user is logging onto a website”; ¶0053, “In step 610, it is determined whether this is a new registration … A new registration may be where a user is creating a new account or it may be where a user is accessing a website account which is unknown to the website registration manager”; ¶0053, “In step 620, the registration information provided by the user to create or access the account is added to the password vault including a unique ID generated by the vault manager, the website URL, the userid, the password, and the email address”; i.e., monitor a user’s browsing session to determine potential websites that should be registered within a password vault) to a user as a potential candidate for password reset (Fig. 6, step 625; ¶0054, “Processing then continues to step 625 where the user is queried through the user interface for a policy based on user preferences with regards to inactivating the account if it is underutilized”; i.e., notify the user to receive preferences regarding conditions to inactivating an account (“resetting” the password of the account); and5 
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Cavanagh in view of Banerjee’s cloud-based password manager by enhancing Cavanagh in view of Banerjee’s password manager to implement a browser monitor that detects when a user registers with a website and to query the user regarding preferences when to deactivate a stored account and password with the website, as taught by Bingell, in order to prevent stored account passwords from becoming stale.
	The motivation is to receive, from a user, preferences regarding when to automatically inactive stored account information, including passwords, associated with the user in order to prevent the stored information from being stale overtime. Also, automatically inactivating/resetting outdated account information also prevents the user from having to manually remove stored information from the account thus eliminating scenarios where the user may forget about the account or where the user lacks time to inactivate the account. 

Regarding Claim 7:
The method as described in claim 6 Cavanagh in view of Banerjee in further view of Bingell further including closing the data mining session upon completing of the automated password reset for each of the third party application or sites for which the user has provided a password reset flow authorization (Banerjee, Figure 8A, step 14 details resetting of a password after receiving an e-mail verification link with no 
The motivation to reject claim 7 under Banerjee is the same motivation used to combine Banerjee with Cavanagh in the rejection of claim 5 above.

Regarding Claim 8:
The method as described in claim 6 wherein Cavanagh in view of Banerjee in further view of Bingell further teaches the third party application or site is exposed to the user as it is discovered during the data mining session (Bingell, Fig. 6, step 600 monitors for website registrations and Fig. 6, step 625 queries the user to provide preferences regarding when to inactivate the account).
The motivation to reject claim 8 under Bingell is the same motivation used to combine Bingell with Cavanagh in view of Banerjee in the rejection of claim 5 above.

Regarding Claim 9:
The method as described in claim 5 Cavanagh in view of Banerjee in further view of Bingell further including storing the password 15management vault as an encrypted blob at the password management service (Bingell, Fig. 4, elements 410 & 440 and Fig. 5A detail storing an encrypted password vault (blob) at a password manager system 410).
The motivation to reject claim 9 under Bingell is the same motivation used to combine Bingell with Cavanagh in view of Banerjee in the rejection of claim 5 above.

Regarding Claims 15-19:
Apparatus claims 15-19 correspond to respective method claims 5-9 and contain no further limitations. Therefore claims 15-19 are rejected by applying the same respective rationale used to reject claims 5-9 above.

Regarding Claim 22:
Cavanagh in view of Banerjee teaches:
The system as described in claim 20 wherein the data repository stores passwords of a user (Cavanagh, Col. 13, lines 39-42, “All the information inputted by the user on the password manager application will then be stored in the password management database 104”; Col. 17, lines 14-26 outlines the information stored in the database including a password), …
Cavanagh in view of Banerjee does not disclose:
… the passwords being stored as an encrypted blob.15
Bingell teaches:
… the passwords being stored as an encrypted blob (Fig. 5A; ¶0045, “The password vault of FIG. 5A may be encrypted for security purposes by the vault manager to protect the passwords stored therein … The userid 515, password 520 and email address 525 are used for accessing the website account and are stored for access by the user as needed and may be provided automatically by the website registration manager when the user attempts to log into the website account”).	
Before the effective filing date of the claimed invention, it would have been obvious to one with ordinary skill in the art to modify Cavanagh in view of Banerjee’s 
	The motivation is to store a user’s passwords at a password manager in a secure fashion by encrypting the passwords within a password vault.

Contact Information
Any inquiry concerning this communication or earlier communications from the examiner should be directed to DANIEL B POTRATZ whose telephone number is (571)270-5329.  The examiner can normally be reached on M-F 10 A.M. - 6 P.M. CST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Ashok Patel can be reached on 571-272-3972.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.





/DANIEL B POTRATZ/Primary Examiner, Art Unit 2491