DETAILED ACTION
Amendments submitted on June 9, 2022 for Application No. 16/829783 are presented for examination by the examiner.
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
Applicant’s arguments filed June 9, 2022 have been considered but they are not persuasive. In the remarks applicant argues:
I)	On page 8, Applicant argues that the cited prior art does not teach the newly amended limitations of “analyzing the packet, wherein analyzing the packet includes identifying a header of the packet and a payload of the packet; detecting a password within the packet based on analyzing the header of the packet”.
The Examiner disagrees and in no way concedes nor subscribes to Applicant's summarization or distillation of the art of record. It has been held "All of the disclosures in a reference must be evaluated for what they fairly teach one of ordinary skill in the art." In re Lemelson, 397 F.2d 1006, 1009 (CCPA 1968).
Curtis, abstract, Figure 2 and col. 3 line 36-col. 4 line 42, teaches receiving a packet and determining if the packet contains sensitive data such as a password by checking the payload. Curtis, col. 2 lines 58-67 and col. 3 lines 36-45, also teaches analyzing the header to determine if the packet contains sensitive data. Therefore, Curtis teaches analyzing both the header and the payload to detect a password in the packet. Additionally, the Examiner would note that all packets are transmitted “based on analyzing the header of the packet”. Therefore, as Curtis receives a packet (based on the header) and determines if the packet contains a password in the payload, it teaches the claimed limitations of “analyzing the packet including identifying a header of the packet and a payload of the packet” and “detecting a password within the packet based on analyzing the header of the packet”. Therefore, the cited prior art does teach the claim limitation in question. 
It has been held that a publication is good for all it teaches to persons of ordinary skill in the art. In re Fritch, 972 F.2d 1260, 1264 (Fed. Cir. 1992). A reference is good for all it teaches. In re Meinhardt, 392 F.2d 273, 280 (CCPA 1968). Finally, it is well established that a reference is good for all it fairly teaches a person having ordinary skill in the art, even when the teaching is a cursory mention. E.g., In re Mills, 470 F.2d 649, 651 (CCPA 1972).

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains.  Patentability shall not be negatived by the manner in which the invention was made.

Claims 1-4, 9-13, and 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Lyne (US 2011/0239267) in view of Curtis (US 7877506).

As per claims 1, 11, and 16, Lyne discloses A method of network-based password policy enforcement, the method comprising: 
receiving, by a processor, a [content] configured to travel in a network, wherein the [content] is configured to travel from a first device to a second device (Lyne, abstract and paragraphs 8, 63, and 66, teaches monitoring content going over the Internet that contains a password.); 
analyzing the [content] (Lyne, abstract and paragraphs 8, 63, and 66, teaches monitoring content going over the Internet that contains a password. Lyne, abstract, Figure 2, and paragraphs 5, 8, 55-57, 60, and 63-66, teaches detecting the password in a field.); 
detecting a password within the [content] (Lyne, abstract, Figure 2, and paragraphs 5, 8, 55-57, 60, and 63-66, teaches detecting the password in a field.); 
determining whether the detected password complies with at least one password policy (Lyne, abstract, Figure 2, and paragraphs 5-8, 55-57, and 63-66, teaches detecting the password in a field and checking the password for compliance.); and 
providing a password policy compliance output to a user, wherein the password policy compliance output indicates to the user whether the detected password complies with the at least one password policy (Lyne, paragraphs 57 and 61, teaches notifying the user that the password does not comply with the password policy.)
Lyne, abstract and paragraphs 8, 63, and 66, specifically teaches monitoring content going over the Internet that contains a password which in most cases will require the use of packets to transmit the data over the Internet. However, Lyne does not specifically teach receiving, by a processor, a packet configured to travel in a network, wherein the packet is configured to travel from a first device to a second device; analyzing the packet; or detecting a password within the packet.
Curtis discloses receiving, by a processor, a packet configured to travel in a network, wherein the packet is configured to travel from a first device to a second device; analyzing the packet, wherein analyzing the packet includes identifying a header of the packet and a payload of the packet; detecting a password within the packet based on analyzing the header of the packet (Curtis, abstract, Figure 2 and col. 3 line 36-col. 4 line 42, teaches receiving a packet and determining if the packet contains sensitive data such as a password by checking the payload. Curtis, col. 2 lines 58-67 and col. 3 lines 36-45, also teaches analyzing the header to determine if the packet contains sensitive data. Additionally, the Examiner would note that all packets are transmitted “based on analyzing the header of the packet”. Therefore, as Curtis receives a packet (based on the header) and determines if the packet contains a password in the payload, it teaches the claimed limitations of “analyzing the packet including identifying a header of the packet and a payload of the packet” and “detecting a password within the packet based on analyzing the header of the packet”.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Curtis with the teachings of Lyne. Lyne teaches detecting a password in a network communication and analyzing the password to ensure it is compliant with the password policy. It is well known that network communications generally occur using network packets, but Lyne is silent on the use of packets. Curtis specifically teaches analyzing the payload of a packet to detect a password in the packet. Therefore, it would have been obvious to have detected the passwords in a packet as shown by Curtis as this would have been a simple substitution of one know form of password detection in a network communication for another to yield the predictable results of detecting a password in the packet and then analyzing the password to ensure it is compliant with the password policy.

As per claims 2, 12, and 17, Lyne in view of Curtis discloses further comprising: implementing a remediation action if the detected password does not comply with the at least one password policy (Lyne, paragraph 57, teaches giving the user a password that is compliant or allowing the user to enter a new password that is compliant.)  

As per claims 3 and 18, Lyne in view of Curtis discloses wherein the remediation action comprises at least one of: communicating with an enforcement engine to block access with the network, communicating with an identity provider to change the detected password, and alerting a network administrator (Lyne, paragraph 57, teaches alerting the user that the password needs to be changed and forwarding the user to the change password functionality portion by the password policy enforcement facility. Lyne, paragraph 37, also teaches performing a remedial action for a policy violation such as terminating a process or sending a warning to an administrator.)

As per claims 4, 13, and 19, Lyne in view of Curtis discloses wherein determining whether the detected password complies with the at least one password policy comprises: analyzing a feature of the detected password, wherein the at least one password policy includes one or more requirements for the feature (Lyne, paragraph 56, teaches comparing the password against an acceptable complexity standard.)

As per claim 9, Lyne in view of Curtis discloses The method of claim 1, wherein the detected password is detected based on the payload of the packet, wherein the payload includes information that exceeds a password threshold (Lyne, abstract, Figure 2, and paragraphs 5, 8, 55-57, 60, and 63-66, teaches detecting the password in a field. The Examiner would note that claim 10 further defines the password threshold exceeding when a string of characters is identified. As a password is considered as a string of characters, detecting the password as in Lyne is considered as exceeding the password threshold.) 

As per claim 10, Lyne in view of Curtis discloses The method of claim 9, wherein it is determined that the password threshold is exceeded when at least one or more of a sequential string of characters is identified, a common password is identified from a common password database, or specific information associated with a user is identified (Lyne, abstract, Figure 2, and paragraphs 5, 8, 55-57, 60, and 63-66, teaches detecting the password in a field. As a password is considered as a string of characters, detecting the password as in Lyne is considered as exceeding the password threshold.)

Claims 5, 14, and 20 are rejected under 35 U.S.C. 103 as being unpatentable over Lyne in view of Curtis and further in view of Kohlenberg (US 2015/0254452).

As per claims 5, 14, and 20, Lyne in view of Curtis discloses wherein determining whether the detected password complies with at least one password policy (Lyne, paragraph 56, teaches comparing the password against an acceptable complexity standard.)
However, Lyne in view of Curtis does not specifically teach comparing the detected password to previously observed matching password hashes to determine an age of the password or password re-use.
Kohlenberg discloses wherein determining whether the detected password complies with at least one password policy comprises: comparing the detected password to previously observed matching password hashes to determine an age of the password or password re-use (Kohlenberg, Figures 4-5 and paragraphs 28 and 42, teaches enforcing password policies such as preventing the reusage of passwords by comparing hash values of old passwords to the hash value of the current password.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Kohlenberg with the teachings of Lyne in view of Curtis. Lyne in view of Curtis teaches detecting a password in a packet and analyzing the password to ensure it is compliant with the password policy, but is silent in regards to the specifics of the password policy. Kohlenberg teaches that one password policy is preventing the re-use of old passwords. Therefore, it would have been obvious to incorporate into Lyne in view of Curtis a specific password policy, such as the password policy of Kohlenberg, as Lyne in view of Curtis has a password policy in general and can be varied to include the password policy to prevent the reuse of old passwords to add additional strength to the passwords that are used in the system.  

Claim 6 is rejected under 35 U.S.C. 103 as being unpatentable over Lyne in view of Curtis and further in view of Raikar (US 7849320).

As per claim 6, Lyne in view of Curtis discloses The method of claim 1 wherein the password policy is associated with a strength level of the detected password (Lyne, paragraph 56, teaches comparing the password against an acceptable complexity standard.)
However, Lyne in view of Curtis does not specifically teach generating the strength level based on a comparison of the password to previously observed matching passwords.
Raikar discloses wherein the password policy is associated with a strength level of the detected password, and wherein determining whether the detected password complies with at least one password policy further comprises: generating the strength level based on a comparison of the password to previously observed matching passwords (Raikar, Figure 2, col. 1 lines 17-28 and col. 5 line 43-col. 6 line 4, teaches enforcing password policies based on the strength of the password such as preventing “easy to remember” passwords that can be susceptible to dictionary attacks and preventing the reusage of passwords as either of these will decrease the strength of the password.)
It would have been obvious to one of ordinary skill in the art before the effective filing date to have combined the teachings of Raikar with the teachings of Lyne in view of Curtis. Lyne in view of Curtis teaches detecting a password in a packet and analyzing the password to ensure it is compliant with the password policy, but is silent in regards to the specifics of the password policy. Raikar teaches that one password policy is preventing the use of passwords that are easy to remember or preventing the reuse of old passwords. Therefore, it would have been obvious to incorporate into Lyne in view of Curtis a specific password policy, such as the password policy of Raikar, as Lyne in view of Curtis has a password policy in general and can be varied to include the password policy to prevent the reuse of old passwords and easy to remember passwords to add additional strength to the passwords that are used in the system.  

Allowable Subject Matter
Claim 8 is objected to as being dependent upon a rejected base claim, but would be allowable if rewritten in independent form including all of the limitations of the base claim and any intervening claims. The following is an examiner’s statement of reasons for allowance: The primary reason for the allowance of the claims is the inclusion of the limitation, inter alia, “wherein the detected password is detected based on the header including a network destination that is associated with a password database". The closest prior art of record includes:
Lyne and Curtis that teach detecting a password and checking the password for compliance with a password policy.
Kohlenberg and Raikar that teach various password policies.
Weatherford (US 2007/0150743) – teaches sending a password packet to a destination of an authentication server.
However, the combination of limitations as currently claimed cannot be found in the cited prior art of record.

Related Prior Art
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure includes:
Abuelsaad (US 2015/0324593) – teaches detecting a password in the payload of a packet.
Cromer (US 2003/0202514) – teaches extracting a password from a packet.
Swift (US 5719941) – teaches various password policies.
Smith (US 2006/0136993) – teaches using packet numbers in headers to put the packets in proper order and then compares the password in the payload to a stored password.

Conclusion
THIS ACTION IS MADE FINAL.  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner should be directed to JOHN B KING whose telephone number is (571)270-7310.  The examiner can normally be reached on Monday-Friday 10AM-6PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.  
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 5712728878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.





/John B King/
Primary Examiner, Art Unit 2498