DETAILED ACTION

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Status of the Claims
	Claims 17-20 are rejected under 35 U.S.C. 112(b).
	Claim 18 is rejected under 35 U.S.C. 112(d).
Claims 1-20 are rejected under 35 U.S.C. 101.
Claims 1-4 and 9-12 are rejected under 35 U.S.C. 102(a)(2).
	Claims 5-8 and 13-20 are rejected under 35 U.S.C. 103.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


Claim 17 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. Claim 17 recites the limitations "the characteristic data" in line 5, “the electronic source data” in line 7, “the group data” in line 11, and “the targeted password list” in line 16 (last line).  There is insufficient antecedent basis for these limitations in the claim. There is no prior recitation 
Claims 18-20 are rejected due to their dependencies on claim 17. 

The following is a quotation of 35 U.S.C. 112(d):
(d) REFERENCE IN DEPENDENT FORMS.—Subject to subsection (e), a claim in dependent form shall contain a reference to a claim previously set forth and then specify a further limitation of the subject matter claimed. A claim in dependent form shall be construed to incorporate by reference all the limitations of the claim to which it refers.

Claim 18 is rejected under 35 U.S.C. 112(d) or pre-AIA  35 U.S.C. 112, 4th paragraph, as being of improper dependent form for failing to further limit the subject matter of the claim upon which it depends, or for failing to include all the limitations of the claim upon which it depends. Claim 18 depends from claim 17, but recites the same limitations as claim 17. Claim 18 therefore does not further limit the subject matter of claim 17.
Applicant may cancel the claim(s), amend the claim(s) to place the claim(s) in proper dependent form, rewrite the claim(s) in independent form, or present a sufficient showing that the dependent claim(s) complies with the statutory requirements.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.





Step 1: Are the claims directed to one of the four statutory categories?

Claim 1 and its dependents are directed to a process.
Claim 9 and its dependents are directed to a machine.
Claim 17 and its dependents are directed to a machine.

Step 2A Prong 1: Does the claim recite an abstract idea?

Claim 1 recites:

A computer-implemented method performed by a data processing apparatus, the method comprising: receiving, at a computing device, characteristic data for an owner or user of an electronic device; receiving, at the computing device, electronic source data for the owner or user of the electronic device; receiving, at the computing device, group data for the owner or user of the electronic device; generating, by the computing device, a targeted password list for the electronic device based on the characteristic data, the electronic source data, and the group data for the owner or user of the electronic device.

Claim 9 recites:

A computer-implemented system comprising: one or more storage devices; one or more processors that receive characteristic data for an owner or user of an electronic device, receive electronic source data for the owner or user of the electronic device, receive group data for the owner or user of the electronic device, and generate a targeted password list for the electronic device based on the characteristic data, the electronic source data, and the group data for the owner or user of the electronic device.

	The portions of claims 1 and 9 underlined above recite a mental process. See MPEP 2106.04(a). These portions recite collecting a plurality of types of information and generating a list of passwords from the information. This can be performed in the human mind or using pen and paper. For example, a person can collect data from a user, such as their last name “Smith” [characteristic data], the last four digits of their social security “1234” [electronic source data], and their hometown “New York” [group data]. The person can then generate a list of passwords based on this data, such as “SmithNewYork1234”, “1234NewYorkSmith”, “Smith1234NewYork”, etc.

Claim 17 recites: 

A system comprising: one or more computers and one or more storage devices storing instructions which are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising: generating a first set of character strings by shifting and permutating strings of characters from the characteristic data; generating a second set of character strings by shifting and permutating strings of characters from the electronic source data; generating a third set of character strings by combining the strings of characters from the characteristic data and the strings of characters from the electronic source data; generating a fourth set of character strings by combining the strings of characters from the characteristic data and the electronic source data and strings of characters from the group data; generating a fifth set of character strings by shifting and permutating the strings of characters from the group data; and storing the first, second, third, fourth, and fifth sets of character strings as the targeted password list for the electronic device.

The portions of claim 17 underlined above recite a mental process. See MPEP 2106.04(a). These portions recite generating different sets of character strings by shifting and permutating different types of data. This can be performed in the human mind or using pen and paper. For example, using the example data discussed above with regards to claims 1 and 9, a person could generate the following sets:
First set: “Smith”, “mithS”, “ithSm”, etc.
Second set: “1234”, “2341”, “3412”, etc.

Fourth set: “Smith1234NewYork”, “1234SmithNewYork”, etc.
Fifth set: “NewYork”, “ewYorkN”, “wYorkNe”, etc.

Dependent claims 2-4 and 10-12 merely limit what comprises “characteristic data”, “electronic source data”, and “group data” and are thus incorporated in the judicial exception discussed above.

Dependent claims 5, 13, and 18 recite the same limitations as claim 17, and therefore recite a further mental process of generating passwords by collecting, shifting, and permutating character strings related to a user.

Claims 7, 15, and 20 depend from claims 5, 13, and 18 and further recite:

further comprising: using character strings from the targeted password list to attempt to access the electronic device, wherein character strings from the first, second, and third sets of character strings are used before character strings from the fourth and fifth set of character strings are used.

The underlined portion of claims 7, 15, and 20 recite a mental process that continues from the mental processes discussed with regards to claims 1, 9, and 17. After a person generates a list of passwords from data related to a user, the person can then attempt to access a device by entering the character strings from the targeted 

Claims 8 and 16 recite:
wherein generating, by the computing device, the targeted password list for the electronic device based on the characteristic data, the electronic source data, and the group data for the owner or user of the electronic device is based on parameters of passwords used by the electronic device.

Claims 8 and 16 are still incorporated in the mental process of claims 1 and 9. The underlined portion merely limits the parameters of the password that is generated by the person generating the password. For example, the parameters may include a special character, a capital letter, and a number, or for the password to be a certain length. The person mentally generating the password list would therefore only generate passwords that comply with the specific parameters of a password.

Step 2A Prong 2: Does the claim recite additional elements that integrate the judicial exception into a practical application?



Claim 1 additionally recites “a computer-implemented method performed by a data processing apparatus, the method comprising” and that the steps of the mental process are performed at or by a “computing device”. This merely links the judicial exception to a computer environment. Furthermore, a claim that recites a computer may still recite a mental process. In this case, the computer is merely a tool for performing the mental process. See MPEP 2106.04(a)(2).III.C.

Claim 9 additionally recites “a computer-implemented system comprising: one or more storage devices; one or more processors that”. This merely links the judicial exception to a computer environment. Furthermore, a claim that recites a computer may still recite a mental process. In this case, the computer is merely a tool for performing the mental process. See MPEP 2106.04(a)(2).III.C.

Claim 17 additionally recites “a system comprising: one or more computers and one or more storage devices storing instructions which are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising:”. This merely links the judicial exception to a computer environment. Furthermore, a claim that recites a computer may still recite a mental process. In this 
Claim 17 also recites “and storing the first, second, third, fourth, and fifth sets of character strings as the targeted password list for the electronic device.” However, this is extra-solution activity that does not add a meaningful limitation to the process of generating a password from a plurality of character strings. See MPEP 2106.05(g).

Claims 2-4 and 10-12 do not recite additional limitations outside of the mental process and thus do not integrate the mental process into a practical application.

Claims 5, 13, and 18 recite the same limitations as claim 17 and therefore do not integrate the judicial exception into a practical application for the same reasonings.

Claims 6, 14, and 19 depend from claims 5, 13, and 18 and additionally recite: wherein the first, second, and third sets of character strings are generated and stored before the fourth and fifth sets of character strings are generated and stored.

A step of storing the generated character strings is extra-solution activity that does not add a meaningful limitation to the concept of generating a password from a plurality of data related to a user. See MPEP 2106.05(g). Furthermore, an order in which the character strings are generated and stored is also extra-solution activity that does not add to the technical concept. The person performing the mental process could 

Claims 7, 15, and 20 do not recite additional limitations outside of the mental process and thus do not integrate the mental process into a practical application.

Claims 8 and 16 do not recite additional limitations outside of the mental process and thus do not integrate the mental process into a practical application.

Step 2B: Does the claim amount to significantly more?

As discussed under Step 2A Prong 2, the only additional limitations recited in claims 1-20 are either extra-solution activity or generally link the judicial exception to a computer environment. These additional limitations do not amount to significantly more. See MPEP2106.05. No other additional limitations are recited by the claims that can be analyzed as to whether they amount to significantly more than the mental process discussed in Step 2A Prong 1.

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.


Claims 1-4 and 9-12 are rejected under 35 U.S.C. 102(a)(2) as being anticipated by FARIVAR (US 10,909,235 B1).

Regarding Claim 1, FARIVAR discloses a computer-implemented method performed by a data processing apparatus, the method comprising: receiving, at a computing device, characteristic data for an owner or user of an electronic device; (“Various types of information specific to a user may be input or fed into the trained artificial neural network. For example, user-specific information may include the user's first, middle, last names, the user's nickname, a birthdate, a social security number…” Col. 2:16-24. User-specific information, or data for an owner or user of an electronic device, is collected. The information includes characteristic data of the user such as their names, birthdates, addresses, and numbers.)
receiving, at the computing device, electronic source data for the owner or user of the electronic device; (“Further, publicly available user-specific information by way of an Internet search, for instance, on the user's social media account, the user's professional networking profile…” Col. 2:25-36. Information related to the user is obtained from a plurality of electronic sources.)
receiving, at the computing device, group data for the owner or user of the electronic device; (“user-specific information… may include the name of the user's pet, a hobby that the user enjoys, information related to the user's profession, education history of the user (e.g., high school, college or university, graduate school), the user's favorite vacation destination, etc.” Col. 2:25-36. Information about where the user went to school or where the user works reads on “group data”. See Figure 3, which provides examples of the characteristic data, electronic source data, and group data received by a computing device.)
generating, by the computing device, a targeted password list for the electronic device based on the characteristic data, the electronic source data, and the group data for the owner or user of the electronic device. (“The artificial neural network 304 receives the user-specific information 302, performs analysis, and outputs numerous possible password strings 306 that can be formed by transforming, combining, and/or arranging the characters in the user-specific information 302. In at least this regard, the artificial neural network may employ machine learning, artificial intelligence, etc. techniques to output all possible passwords that the user may create based on the user-specific information 302 in typical or predictable ways. Effectively, the artificial neural network is guessing or attempting to guess the easily guessable Col. 6:59- Col.7:2. Also see Col. 4:16-26. A list of predictable passwords made from the combinations of the characteristic, electronic source, and group data of the user is generated.)
	Regarding Claim 9, FARIVAR further discloses a computer-implemented system comprising: one or more storage devices; one or more processors (Col. 10:18-21. Fig. 7)
	Claim 9 otherwise recites identical limitations to claim 1 and is therefore rejected using the same reasoning described above.

Regarding Claim 2, FARIVAR further discloses wherein the characteristic data comprises strings of characters based on known characteristics of the owner or user of the electronic device. (Col. 2:16-24. And Col. 4:16-26: User-specific information includes names, telephone numbers, a birthdate, social security number, and other characteristic data of a user. The information retrieved are strings of characters used in generating the predicted passwords.)
	Claim 10 is directed to a computer-implemented system but otherwise recites the same limitations as claim 2. Claim 10 is therefore rejected using the same reasoning described above.

Regarding Claim 3, FARIVAR further discloses wherein the electronic source data comprises strings of characters based on data about the owner or user of the electronic device retrieved from electronic data sources. (Col. 2:25-36. And Col. 4:16-26: User-specific information is retrieved from a plurality of online sources, 
Claim 11 is directed to a computer-implemented system but otherwise recites the same limitations as claim 3. Claim 11 is therefore rejected using the same reasoning described above.

Regarding Claim 4, FARIVAR further discloses wherein the group data comprises strings of characters based on data about demographic groups and organizations with which the owner or user of the electronic device is associated. (Col. 2:25-36. And Col. 4:16-26: User-specific information includes demographic and organization data, such as where the user went to school, the occupation of the user (See Figure 3), and the hobbies the user is interested in. )
	Claim 12 is directed to a computer-implemented system but otherwise recites the same limitations as claim 4. Claim 12 is therefore rejected using the same reasoning described above.


Claim Rejections - 35 USC § 103
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.


The factual inquiries for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.

Claims 5, 13, and 17-18 are rejected under 35 U.S.C. 103 as being unpatentable over FARIVAR (US 10,909,235 B1) in view of STADING (US 2004/0255155 A1).

Regarding Claim 5, FARIVAR teaches all the limitations of claim 1, on which claim 5 depends.
FARIVAR further teaches wherein generating, by the computing device, the targeted password list for the electronic device based on the characteristic data, the electronic source data, and the group data for the owner or user of the electronic device comprises: generating…  character strings by shifting and permutating strings of characters from the characteristic data; generating… character strings by shifting and permutating strings of characters from the electronic source data… generating… character strings by shifting and permutating the strings of characters from the group data; (“the artificial neural network 304 receives the user-specific information 302, performs analysis, and outputs numerous possible password strings 306 that can be formed by transforming, combining, and/or arranging the characters in the user-specific information 302” Col. 6:59-63. A set of possible password strings is generated by arranging (shifting) and combining (permutating) user-specific information.)
generating… character strings by combining the strings of characters from the characteristic data and the strings of characters from the electronic source data; generating… character strings by combining the strings of characters from the characteristic data and the electronic source data and strings of characters from the group data; (“The artificial neural network 304 receives the user-specific information 302, performs analysis, and outputs numerous possible password strings 306 that can be formed by transforming, combining, and/or arranging the characters in the user-specific information 302. In at least this regard, the artificial neural network may employ machine learning, artificial intelligence, etc. techniques to output all possible passwords that the user may create based on the user-specific information 302 in typical or predictable ways. Effectively, the artificial neural network is guessing or attempting to guess the easily guessable passwords before fraudsters do.” Col. 6:59- Col.7:2. Also see Col. 4:16-26. A list of predictable passwords made from the combinations of the characteristic, electronic source, and group data of the user is generated.)
While FARIVAR teaches combining and arranging user-specific information in a variety of ways (See Figure 3), FARIVAR does not explicitly teach that the character strings of user information from different categories are combined into different sets, i.e. a first set, a second set, a third set, a fourth set, and a fifth set. 
FARIVAR further does not explicitly teach and storing the first, second, third, fourth, and fifth sets of character strings as the targeted password list for the electronic device.
However, STADING, which teaches a plurality of password generating algorithms for creating passwords of various cracking difficulty, teaches combining different user-specific character strings into different sets of candidate passwords. STADING teaches a first set, a second set, a third set, a fourth set, and a fifth set. (“Here is an exemplary list of password generating algorithms that generate passwords of increasing cracking difficulty… 2. Make algorithmic combinations of input data, such as, concatenate into a string the user's first name and last name and use the first eight letters of the string as the password. 3. Retrieve and use as the password the first of the following to comprise at least ten characters: the user's hobby, the user's favorite author, the user's oldest child's first name. 4. Express the user's birthdate as six numeric digits and reverse them; express the user social security number as nine numeric digits and reverse them; concatenate the two, forming a fifteen digit password… Various embodiments of the invention use any number or combination of Paragraphs 0042-48. Information related to a user is shifted and permutated in a variety of way to produce different sets of character strings with varying cracking difficulty. As one example, the third algorithm is equivalent to combining characteristic data, electronic source data, and group data, while the second and fourth algorithms are examples of combining different types of characteristic data.)
STADING further teaches and storing the first, second, third, fourth, and fifth sets of character strings as the targeted password list for the electronic device (“Alert passwords are deployed, for example, by storing them in password tables similar to the password tables in which ordinary user passwords are stored, such as, for example, the well-known/etc/passwd in Linux systems. Alert passwords, in fact, can be stored in the very same table in which ordinary user passwords are stored, in operating systems amenable to such storage. Alert passwords, like ordinary user passwords, in support of appropriate retrieval when needed, are typically stored in association with user identification or resource identification for a user or a resource with which a user password is used to control access.” Paragraph 0036. The different sets of passwords generated using the algorithms taught by Paragraphs 42-48 are stored for later use by an information security system.)
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify the generation of candidate passwords that are predicted from user-specific information taught by FARIVAR by generating different sets of passwords with various cracking difficulty from the user-specific information and storing the passwords as taught by STADING. Since both references are directed to 
Claim 13 is directed to a computer-implemented system but otherwise recites the same limitations as claim 5. Claim 13 is therefore rejected using the same reasoning described above.

Regarding Claim 17, FARIVAR teaches a system comprising: one or more computers and one or more storage devices storing instructions which are operable, when executed by the one or more computers, to cause the one or more computers to perform operations comprising: (Col. 10:18-21. Fig. 7)
generating… character strings by shifting and permutating strings of characters from (“the artificial neural network 304 receives the user-specific information 302, performs analysis, and outputs numerous possible password strings 306 that can be formed by transforming, combining, and/or arranging the characters in the user-specific information 302” Col. 6:59-63. A set of possible password strings is generated by arranging (shifting) and combining (permutating) user-specific information.)
the characteristic data; (“Various types of information specific to a user may be input or fed into the trained artificial neural network. For example, user-specific information may include the user's first, middle, last names, the user's nickname, a birthdate, a social security number…” Col. 2:16-24. User-specific information, or data for an owner or user of an electronic device, is collected. The information includes characteristic data of the user such as their names, birthdates, addresses, and numbers.)
generating… character strings by shifting and permutating strings of characters from (“the artificial neural network 304 receives the user-specific information 302, performs analysis, and outputs numerous possible password strings 306 that can be formed by transforming, combining, and/or arranging the characters in the user-specific information 302” Col. 6:59-63. A set of possible password strings is generated by arranging (shifting) and combining (permutating) user-specific information.)
the electronic source data; (“Further, publicly available user-specific information may also be input or fed into the trained artificial neural network, which may include the name of the user's pet, a hobby that the user enjoys… The publicly available information may be found by way of an Internet search, for instance, on the user's social media account, the user's professional networking profile…” Col. 2:25-36. Information related to the user is obtained from a plurality of electronic sources.)
generating… character strings by combining the strings of characters from the characteristic data and the strings of characters from the electronic source data; generating… character strings by combining the strings of characters from the characteristic data and the electronic source data and strings of characters from the group data; (“The artificial neural network 304 receives the user-specific information 302, performs analysis, and outputs numerous possible password strings 306 that can be formed by transforming, combining, and/or arranging the characters in the user-specific information 302. In at least this regard, the artificial neural network may employ machine learning, artificial intelligence, etc. techniques to output all possible passwords that the user may create based on the user-specific information 302 in typical or predictable ways. Effectively, the artificial neural network is guessing or attempting to guess the easily guessable passwords before fraudsters do.” Col. 6:59- Col.7:2. Also see Col. 4:16-26. A list of predictable passwords made from the combinations of the characteristic, electronic source, and group data of the user is generated.)
generating a fifth set of character strings by shifting and permutating the strings of characters (“the artificial neural network 304 receives the user-specific information 302, performs analysis, and outputs numerous possible password strings 306 that can be formed by transforming, combining, and/or arranging the characters in the user-specific information 302” Col. 6:59-63. A set of possible password strings is generated by arranging (shifting) and combining (permutating) user-specific information.)
from the group data; (“user-specific information… may include the name of the user's pet, a hobby that the user enjoys, information related to the user's profession, education history of the user (e.g., high school, college or university, graduate school), the user's favorite vacation destination, etc.” Col. 2:25-36. Information about where the 
While FARIVAR teaches combining and arranging user-specific information in a variety of ways (See Figure 3), FARIVAR does not explicitly teach that the character strings of user information from different categories are combined into different sets, i.e. a first set, a second set, a third set, a fourth set, and a fifth set. 
FARIVAR further does not explicitly teach and storing the first, second, third, fourth, and fifth sets of character strings as the targeted password list for the electronic device.
However, STADING, which teaches a plurality of password generating algorithms for creating passwords of various cracking difficulty, teaches combining different user-specific character strings into different sets of candidate passwords. STADING teaches a first set, a second set, a third set, a fourth set, and a fifth set (“Here is an exemplary list of password generating algorithms that generate passwords of increasing cracking difficulty… 2. Make algorithmic combinations of input data, such as, concatenate into a string the user's first name and last name and use the first eight letters of the string as the password. 3. Retrieve and use as the password the first of the following to comprise at least ten characters: the user's hobby, the user's favorite author, the user's oldest child's first name. 4. Express the user's birthdate as six numeric digits and reverse them; express the user social security number as nine numeric digits and reverse them; concatenate the two, forming a fifteen digit password… Various embodiments of the invention use any number or combination of Paragraphs 0042-48. Information related to a user is shifted and permutated in a variety of way to produce different sets of character strings with varying cracking difficulty. As one example, the third algorithm is equivalent to combining characteristic data, electronic source data, and group data, while the second and fourth algorithms are examples of combining different types of characteristic data.)
STADING further teaches and storing the first, second, third, fourth, and fifth sets of character strings as the targeted password list for the electronic device. (“Alert passwords are deployed, for example, by storing them in password tables similar to the password tables in which ordinary user passwords are stored, such as, for example, the well-known/etc/passwd in Linux systems. Alert passwords, in fact, can be stored in the very same table in which ordinary user passwords are stored, in operating systems amenable to such storage. Alert passwords, like ordinary user passwords, in support of appropriate retrieval when needed, are typically stored in association with user identification or resource identification for a user or a resource with which a user password is used to control access.” Paragraph 0036. The different sets of passwords generated using the algorithms taught by Paragraphs 42-48 are stored for later use by an information security system.)
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify the generation of candidate passwords that are predicted from user-specific information taught by FARIVAR by generating different sets of passwords with various cracking difficulty from the user-specific information and storing the passwords as taught by STADING. Since both references are directed to 
	Claim 18 recites identical limitations to claim 17 [See the 35 U.S.C. 112(d) rejection above] and is therefore rejected using the same reasoning described above.


Claims 6-7, 14-15, and 19-20 are rejected under 35 U.S.C. 103 as being unpatentable over FARIVAR (US 10,909,235 B1) in view of STADING (US 2004/0255155 A1) and further in view of AMIN (US 9,888,016 B1).

Regarding Claim 6, FARIVAR in view of STADING teaches all the limitations of claim 5, on which claim 6 depends.
FARIVAR in view of STADING does not teach wherein the first, second, and third sets of character strings are generated and stored before the fourth and fifth sets of character strings are generated and stored.
However, AMIN, which is directed to a method of detecting phising by predicting passwords, teaches wherein the first, second, and third sets of character strings are generated and stored before the fourth and fifth sets of character strings are generated and stored. (“a list of default passwords is used in an attempt to decrypt the attachment… a password predictor is invoked to parse the email to locate any possible passwords hints within various portions of the email (e.g. body, subject line, address line, etc.) and attempt to determine or predict one or more password candidates… content of the email may be scanned and analyzed prior to applying the list of default passwords to predict the password” Col. 3:62 – Col. 4:25. Also see Col. 7:10-15 and Col. 7:57-60.  One set of predicted passwords is used before the use of another set of predicted passwords. The set of default passwords is also generated and stored before the passwords that are generated from the content of an email. Furthermore, in view of STADING, which teaches storing alert passwords, it would have been obvious for a certain set of the passwords, such as those with a lower cracking difficulty, to be generated and stored before another set of passwords.)
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify the generation and storing of a plurality of sets of passwords from retrieved user-specific information taught by FARIVAR in view of STADING by generating and storing the passwords with a certain order as taught by Amin. Since the references are directed to information security by predicting passwords, the combination would yield predictable results. Such a combination would amount to a design choice as to which type of password is generated and tested first. Furthermore, setting an order may improve the security and resource use of the system by allowing the designer to set which type of password they determine to be more likely to be used, potentially leading to earlier detection of a threat.
Claim 14 is directed to a computer-implemented system but otherwise recites the same limitations as claim 6. Claim 14 is therefore rejected using the same reasoning described above.

Regarding Claim 7, FARIVAR in view of STADING teaches all the limitations of claim 5, on which claim 7 depends.
 FARIVAR in view of STADING does not teach further comprising: using character strings from the targeted password list to attempt to access the electronic device, wherein character strings from the first, second, and third sets of character strings are used before character strings from the fourth and fifth set of character strings are used.
However, AMIN, which is directed to a method of detecting phising by predicting passwords, teaches further comprising: using character strings from the targeted password list to attempt to access the electronic device, (“If the attachment has been encrypted, a list of default passwords 111 is used in an attempt to decrypt the attachment… If the attachment cannot be decrypted using the default passwords 111, according to one embodiment, a password predictor 110 is invoked to parse the email to locate or identify any possible passwords hints within the email and attempt to determine or predict one or more password candidates… the password candidates are then used in an attempt to decrypt the encrypted attachment.” Col. 4:62 – Col. 5:27. Predicted passwords are used to access a file. This is equivalent to using a password to access a device.)
wherein character strings from the first, second, and third sets of character strings are used before character strings from the fourth and fifth set of character strings are used. (“a list of default passwords is used in an attempt to decrypt the attachment… a password predictor is invoked to parse the email to locate any possible passwords hints within various portions of the email (e.g. body, subject line, address line, etc.) and attempt to determine or predict one or more password candidates… content of the email may be scanned and analyzed prior to applying the list of default passwords to predict the password” Col. 3:62 – Col. 4:25. Also see Col. 7:10-15 and Col. 7:57-60.  One set of predicted passwords are used in an attempt to access a file before the use of another set of predicted passwords. It would have been obvious for any set of passwords to be used before another set as determined by the system designer.)
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify the generation and storing of a plurality of sets of passwords from retrieved user-specific information taught by FARIVAR in view of STADING by applying the generated passwords to attempt to access a resource and using certain sets of passwords before other sets as taught by AMIN. Since the references are directed to information security by predicting passwords, the combination would yield predictable results. Furthermore, since STADING teaches using the generated passwords in order to test a cracking strength of a user’s actual password, it would have been further obvious to attempt to access a resource using the generated password. The order as to which password is used first amounts to a design choice. Furthermore, setting an order may improve the security and resource use of the system 
Claim 15 is directed to a computer-implemented system but otherwise recites the same limitations as claim 7. Claim 15 is therefore rejected using the same reasoning described above.

Regarding Claim 19, FARIVAR in view of STADING teaches all the limitations of claim 18, on which claim 19 depends.
FARIVAR in view of STADING does not teach wherein the first, second, and third sets of character strings are generated and stored before the fourth and fifth sets of character strings are generated and stored.
However, AMIN, which is directed to a method of detecting phising by predicting passwords, teaches wherein the first, second, and third sets of character strings are generated and stored before the fourth and fifth sets of character strings are generated and stored. (“a list of default passwords is used in an attempt to decrypt the attachment… a password predictor is invoked to parse the email to locate any possible passwords hints within various portions of the email (e.g. body, subject line, address line, etc.) and attempt to determine or predict one or more password candidates… content of the email may be scanned and analyzed prior to applying the list of default passwords to predict the password” Col. 3:62 – Col. 4:25. Also see Col. 7:10-15 and Col. 7:57-60.  One set of predicted passwords is used before the use of another set of predicted passwords. The set of default passwords is also generated and stored before the passwords that are generated from the content of an email. Furthermore, in view of 
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify the generation and storing of a plurality of sets of passwords from retrieved user-specific information taught by FARIVAR in view of STADING by generating and storing the passwords with a certain order as taught by Amin. Since the references are directed to information security by predicting passwords, the combination would yield predictable results. Such a combination would amount to a design choice as to which type of password is generated and tested first. Furthermore, setting an order may improve the security and resource use of the system by allowing the designer to set which type of password they determine to be more likely to be used, potentially leading to earlier detection of a threat.


Regarding Claim 20, FARIVAR in view of STADING teaches all the limitations of claim 18, on which claim 20 depends.
FARIVAR in view of STADING does not teach wherein the instructions, which are operable, when executed by the one or more computers, further cause the one or more computers to perform operations comprising: using character strings from the targeted password list to attempt to access the electronic device, wherein character strings from the first, second, and third sets of character strings are used before character strings from the fourth and fifth set of character strings are used. 
However, AMIN, which is directed to a method of detecting phising by predicting passwords, teaches wherein the instructions, which are operable, when executed by the one or more computers, further cause the one or more computers to perform operations comprising: using character strings from the targeted password list to attempt to access the electronic device, (“If the attachment has been encrypted, a list of default passwords 111 is used in an attempt to decrypt the attachment… If the attachment cannot be decrypted using the default passwords 111, according to one embodiment, a password predictor 110 is invoked to parse the email to locate or identify any possible passwords hints within the email and attempt to determine or predict one or more password candidates… the password candidates are then used in an attempt to decrypt the encrypted attachment.” Col. 4:62 – Col. 5:27. Predicted passwords are used to access a file. This is equivalent to using a password to access a device.)
wherein character strings from the first, second, and third sets of character strings are used before character strings from the fourth and fifth set of character strings are used. (“a list of default passwords is used in an attempt to decrypt the attachment… a password predictor is invoked to parse the email to locate any possible passwords hints within various portions of the email (e.g. body, subject line, address line, etc.) and attempt to determine or predict one or more password candidates… content of the email may be scanned and analyzed prior to applying the list of default passwords to predict the password” Col. 3:62 – Col. 4:25. Also see Col. 7:10-15 and Col. 7:57-60.  One set of predicted passwords are used in an attempt to access a file before the use of another set of predicted passwords. It would have been obvious for any set of passwords to be used before another set as determined by the system designer.)
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify the generation and storing of a plurality of sets of passwords from retrieved user-specific information taught by FARIVAR in view of STADING by applying the generated passwords to attempt to access a resource and using certain sets of passwords before other sets as taught by AMIN. Since the references are directed to information security by predicting passwords, the combination would yield predictable results. Furthermore, since STADING teaches using the generated passwords in order to test a cracking strength of a user’s actual password, it would have been further obvious to attempt to access a resource using the generated password. The order as to which password is used first amounts to a design choice. Furthermore, setting an order may improve the security and resource use of the system by allowing the designer to set which type of password they determine to be more likely to be used, potentially leading to earlier detection of a threat.


Claims 8 and 16 are rejected under 35 U.S.C. 103 as being unpatentable over FARIVAR (US 10,909,235 B1) in view of JERDONEK (US 8,769,607 B1).

Claim 8, FARIVAR teaches all the limitations of claim 1, on which claim 8 depends.
FARIVAR does not explicitly teach wherein generating, by the computing device, the targeted password list for the electronic device based on the characteristic data, the electronic source data, and the group data for the owner or user of the electronic device is based on parameters of passwords used by the electronic device.
However, JERDONEK, which is directed to a method of evaluating a password policy, teaches wherein generating, by the computing device, the targeted password list for the electronic device based on the characteristic data, the electronic source data, and the group data for the owner or user of the electronic device is based on parameters of passwords used by the electronic device. (“The password complexity refers to requirements to utilize certain combinations of characters or positional restrictions, or to avoid certain restricted words, restricted characters, and restricted combinations. The following is a non-limiting list of examples of password complexity constraints: (a) at least one number and one letter (i.e. at least two character classes); (b) at least one symbol; (c) at least one number, one letter and one symbol (i.e. at least three character classes); (d) at least one number between the first and last character (a positional constraint); (e) no symbols (a character class restriction); only letters and numbers (a character class restriction); (f) cannot contain the user's name, or other personal information (restricted words and/or numbers); and (g) cannot be a common word or password.” Col. 5:56 – Col. 6:5. A device or resource would have a 
Before the effective filing date of the invention, it would have been obvious to one of ordinary skill in the art to modify the generation of passwords for an information security system using retrieved user-specific information taught by FARIVAR by requiring the generated password to have certain parameters, as taught by JERDONEK. As taught by JERDONEK (Col. 6:2-5), “these types of password complexity constraints increase the randomness of passwords under a password policy, and as a result, increase the entropy and security of the password policy”. Furthermore, since the goal of FARIVAR is to predict passwords that a malicious third party would try to use to access the resources of a user, and it is known that the password policy of a particular resource requires certain parameters, then it would have been obvious for the predicted passwords to comply with the required parameters.
Claim 16 is directed to a computer-implemented system but otherwise recites the same limitations as claim 8. Claim 16 is therefore rejected using the same reasoning described above.

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure.
Shapiro (US 2018/0060564 A1) teaches generation of password using user personal data in real time. (¶ 53, 61, 70, 86)
O’Dell (US 2018/0300473 A1) teaches generation of passwords from strings of characters, including making the password comply with certain parameters. (Abstract, Fig. 8)
Nguyen-Huu (US 10,797,870 B1) teaches generation of passwords by permutating strings of characters of confidential user information and providing the generated passwords as a list to the user for use with a protected resource. (Abstract, Fig. 4)
Sun (US 2019/0165944 A1) teaches device protection rules for user authentication, including a hacker test that attempts to use predicted passwords to access a resource. (Abstract, Fig. 3, ¶ 15)

Any inquiry concerning this communication or earlier communications from the examiner should be directed to RAMI RAFAT OKASHA whose telephone number is (571)272-0675. The examiner can normally be reached M-F 9-5 EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Kieu Vu can be reached on (571) 272-4057. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is 





/R.R.O./           Examiner, Art Unit 2173                                                                                                                                                                                             

/KIEU D VU/Supervisory Patent Examiner, Art Unit 2173