DETAILED ACTION
The instant application having Application No. 16/829783 filed on March 25, 2020 is presented for examination by the examiner.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Oath/Declaration
The applicant’s oath/declaration has been reviewed by the examiner and is found to conform to the requirements prescribed in 37 C.F.R. 1.63.

Information Disclosure Statement
As required by M.P.E.P. 609(C), the applicant’s submission of the Information Disclosure Statement is acknowledged by the examiner and the cited references have been considered in the examination of the claims now pending. As required by M.P.E.P. 609(C), a copy of the PTOL-1449 initialed and dated by the examiner is attached to the instant office action.

Drawings
The applicant’s drawings submitted are acceptable for examination purposes.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

Claims 1-4, 7, 9-13, and 15-19 are rejected under 35 U.S.C. 103 as being unpatentable over Lyne (US 2011/0239267) in view of Curtis (US 7877506).

As per claims 1, 11, and 16, Lyne discloses A method of network-based password policy enforcement, the method comprising: 
receiving, by a processor, a [content] configured to travel in a network, wherein the [content] is configured to travel from a first device to a second device (Lyne, abstract and paragraphs 8, 63, and 66, teaches monitoring content going over the Internet that contains a password.); 
analyzing the [content] (Lyne, abstract and paragraphs 8, 63, and 66, teaches monitoring content going over the Internet that contains a password. Lyne, abstract, Figure 2, and paragraphs 5, 8, 55-57, 60, and 63-66, teaches detecting the password in a field.); 
(Lyne, abstract, Figure 2, and paragraphs 5, 8, 55-57, 60, and 63-66, teaches detecting the password in a field.); 
determining whether the detected password complies with at least one password policy (Lyne, abstract, Figure 2, and paragraphs 5-8, 55-57, and 63-66, teaches detecting the password in a field and checking the password for compliance.); and 
providing a password policy compliance output to a user, wherein the password policy compliance output indicates to the user whether the detected password complies with the at least one password policy (Lyne, paragraphs 57 and 61, teaches notifying the user that the password does not comply with the password policy.)
Lyne, abstract and paragraphs 8, 63, and 66, specifically teaches monitoring content going over the Internet that contains a password which in most cases will require the use of packets to transmit the data over the Internet. However, Lyne does not specifically teach receiving, by a processor, a packet configured to travel in a network, wherein the packet is configured to travel from a first device to a second device; analyzing the packet; or detecting a password within the packet.
Curtis discloses receiving, by a processor, a packet configured to travel in a network, wherein the packet is configured to travel from a first device to a second device; analyzing the packet; detecting a password within the packet (Curtis, abstract, Figure 2 and col. 3 line 36-col. 4 line 42, teaches receiving a packet and determining if the packet contains sensitive data such as a password.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Curtis with the teachings of Lyne. Lyne 

As per claims 2, 12, and 17, Lyne in view of Curtis discloses further comprising: implementing a remediation action if the detected password does not comply with the at least one password policy (Lyne, paragraph 57, teaches giving the user a password that is compliant or allowing the user to enter a new password that is compliant.)  

As per claims 3 and 18, Lyne in view of Curtis discloses wherein the remediation action comprises at least one of: communicating with an enforcement engine to block access with the network, communicating with an identity provider to change the detected password, and alerting a network administrator (Lyne, paragraph 57, teaches alerting the user that the password needs to be changed and forwarding the user to the change password functionality portion by the password policy enforcement facility. Lyne, paragraph 37, also teaches performing a remedial action for a policy violation such as terminating a process or sending a warning to an administrator.)

As per claims 4, 13, and 19, Lyne in view of Curtis discloses wherein determining whether the detected password complies with the at least one password policy comprises: analyzing a feature of the detected password, wherein the at least one password policy includes one or more requirements for the feature (Lyne, paragraph 56, teaches comparing the password against an acceptable complexity standard.)

As per claims 7 and 15, Lyne in view of Curtis discloses wherein analyzing the packet includes identifying a header of the packet and a payload of the packet (Curtis, abstract, Figure 2 and col. 3 line 36-col. 4 line 42, teaches receiving a packet and determining if the packet contains sensitive data such as a password by checking the payload. Curtis, col. 2 lines 58-67 and col. 3 lines 36-45, also teaches analyzing the header to determine if the packet contains sensitive data.)

As per claim 9, Lyne in view of Curtis discloses The method of claim 7, wherein the detected password is detected based on the payload of the packet, wherein the payload includes information that exceeds a password threshold (Lyne, abstract, Figure 2, and paragraphs 5, 8, 55-57, 60, and 63-66,  teaches detecting the password in a field. The Examiner would note that claim 10 further defines the password threshold exceeding when a string of characters is identified. As a password is considered as a string of characters, detecting the password as in Lyne is considered as exceeding the password threshold.) 

As per claim 10, Lyne in view of Curtis discloses The method of claim 9, wherein it is determined that the password threshold is exceeded when at least one or more of a sequential string of characters is identified, a common password is identified from a common password database, or specific information associated with a user is identified (Lyne, abstract, Figure 2, and paragraphs 5, 8, 55-57, 60, and 63-66,  teaches detecting the password in a field. As a password is considered as a string of characters, detecting the password as in Lyne is considered as exceeding the password threshold.)

Claims 5, 14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Lyne in view of Curtis and further in view of Kohlenberg (US 2015/0254452).

As per claims 5, 14, and 20, Lyne in view of Curtis discloses wherein determining whether the detected password complies with at least one password policy (Lyne, paragraph 56, teaches comparing the password against an acceptable complexity standard.)
However, Lyne in view of Curtis does not specifically teach comparing the detected password to previously observed matching password hashes to determine an age of the password or password re-use.
(Kohlenberg, Figures 4-5 and paragraphs 28 and 42, teaches enforcing password policies such as preventing the reusage of passwords by comparing hash values of old passwords to the hash value of the current password.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Kohlenberg with the teachings of Lyne in view of Curtis. Lyne in view of Curtis teaches detecting a password in a packet and analyzing the password to ensure it is compliant with the password policy, but is silent in regards to the specifics of the password policy. Kohlenberg teaches that one password policy is preventing the re-use of old passwords. Therefore, it would have been obvious to incorporate into Lyne in view of Curtis a specific password policy, such as the password policy of Kohlenberg, as Lyne in view of Curtis has a password policy in general and can be varied to include the password policy to prevent the reuse of old passwords to add additional strength to the passwords that are used in the system.  

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Lyne in view of Curtis and further in view of Raikar (US 7849320).

As per claim 6, Lyne in view of Curtis discloses The method of claim 1 wherein the password policy is associated with a strength level of the detected password (Lyne, paragraph 56, teaches comparing the password against an acceptable complexity standard.)
However, Lyne in view of Curtis does not specifically teach generating the strength level based on a comparison of the password to previously observed matching passwords.
Raikar discloses wherein the password policy is associated with a strength level of the detected password, and wherein determining whether the detected password complies with at least one password policy further comprises: generating the strength level based on a comparison of the password to previously observed matching passwords (Raikar, Figure 2, col. 1 lines 17-28 and col. 5 line 43-col. 6 line 4, teaches enforcing password policies based on the strength of the password such as preventing “easy to remember” passwords that can be susceptible to dictionary attacks and preventing the reusage of passwords as either of these will decrease the strength of the password.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Raikar with the teachings of Lyne in view of Curtis. Lyne in view of Curtis teaches detecting a password in a packet and analyzing the password to ensure it is compliant with the password policy, but is silent in regards to the specifics of the password policy. Raikar teaches that one password policy is preventing the use of passwords that are easy to remember or preventing the reuse of old passwords . Therefore, it would have been obvious to incorporate into Lyne in view of Curtis a specific password policy, such as the password policy of Raikar, as Lyne in view of Curtis has a password policy in general and can be varied to include the .  

Allowable Subject Matter
Claim 8 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. The following is an examiner’s statement of reasons for allowance: The primary reason for the allowance of the claims is the inclusion of the limitation, inter alia, “wherein the detected password is detected based on the header including a network destination that is associated with a password database". The closest prior art of record includes:
Lyne and Curtis that teach detecting a password and checking the password for compliance with a password policy.
Kohlenberg and Raikar that teach various password policies.
Weatherford (US 2007/0150743) – teaches sending a password packet to a destination of an authentication server.
However, the combination of limitations as currently claimed cannot be found in the cited prior art of record.

Related Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure includes:
Abuelsaad (US 2015/0324593) – teaches detecting a password in the payload of a packet.
Cromer (US 2003/0202514) – teaches extracting a password from a packet.
Swift (US 5719941) – teaches various password policies.
Smith (US 2006/0136993) – teaches using packet numbers in headers to put the packets in proper order and then compares the password in the payload to a stored password.

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN B KING whose telephone number is (571)270-7310.  The examiner can normally be reached on Monday-Friday 10AM-6PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 5712728878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.






/John B King/
Primary Examiner, Art Unit 2498