Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Amendment
This communication is in response to the amendment filed on 8/23/2022. The Examiner acknowledges amended claims 1-4, 6, and 9-10. Claims 5, 7-8, and 11-13 have been canceled. No claims have been added. Claims 1-4, 6, and 9-10 are pending and claims 1-4, 6, and 9-10 are rejected.  Claims 1 and 9 is/are independent. 

Response to Arguments
Applicant's arguments filed 08/23/2022 have been fully considered.  
CLAIM 1
Regarding claim 1, Applicant argues (see Remarks, bottom paragraph of page 5 to the top paragraph of page 6) that the references cited in the previous rejection fail to disclose the newly amended claim features.  This argument is persuasive, although the newly amended claim features do not satisfy the written description requirement, as indicated below. Therefore, the rejections are withdrawn. However, upon further consideration, a new ground of rejection is made in view of Liu et al. U.S. Publication 20210365546 (hereinafter “Liu”) in view of De Graaf et al. PCT Publication WO2006107201 (hereinafter “De Graaf”).
Liu teaches programmatically generating a string and concatenating the string with an administrator password to generate a composite password (Liu figure 2-3, para. 15, 18, 23, 27, 30, 31). De Graaf discloses that a composite password generated based on two separate component passwords is used to access online websites (De Graaf, Page 7, lines 3-20, Page 8, lines 16-31)
Accordingly, Applicant's argument is persuasive, the rejection is withdrawn, and new ground(s) of rejection are presented herein.


CLAIM 6
Regarding claim 6, Applicant’s argues (Remarks, page 8, 3rd paragraph to page 9, first paragraph) that the references cited in the previous rejection fail to disclose the newly amended claim features.  This argument is persuasive. Therefore, the rejections are withdrawn. However, upon further consideration, a new ground of rejection is made in view of Kurspahic et al. U.S. Publication 20160014110 (hereinafter “Kurspahic”) discloses performing a task that requires a password and then discarding the password (para. 5, 6). The Kurspahic reference in combination with Liu and De Graaf discloses limitations of claim 6.

	
CLAIM 9
Regarding independent claim 9, applicant argues that:
Regarding the rejection of claim 9 of the present invention based on Kirshan (Fig 2 Password management platform 201) and (Fig 9B, step 908) and Hoey Paragraph 20 and 21. Kirshan in Fig 2 and Fig 9B step 908 are teaching away from amended claim 9 of the present invention. Fig 2 of Krishan teaches a very complex method of password management platform. Amended claim 9 contains no teachings for Logon (202), Company Services (205), Contacts (214), FAQ (215), Privacy Policy (216), or My Account (204). Further, amended claim 9 contains no teachings regarding (paragraphs 39 and 40) of Kirshan the logon sequence (steps 202 through 204), Register steps 208 through 213. Method steps in amended claim 9 do not contain the steps shown in Fig 2 of Kirshan. 


Examiner respectfully disagrees. Figure 2 of the Krishan reference is cited for password management platform 201 depicted in figure 2, which discloses first portal recited in claim 9. Krishan Para. 39 and 40 describe the password management platform 201 interfaces depicted in figure 2. Other portions of the Kirshan and Hoey references disclose the remaining limitations of claim 9.  To the extent that Applicant argues that Kirshan is deficient because it discloses other so-called "complex" features in addition to those for it is cited, this argument is illogical and unpersuasive.  The pertinent question is whether the claim feature is disclosed by the reference.
Applicant further argues (bottom paragraph of page 9 to 1st paragraph of page 10) that:
Further, step 908 of Fig 9B of Kirshan only teaches the generation of the unique secure random password for the online account. Nowhere in Fig 9B of Kirshan is there any teaching of the user entering their own portion of the complete password used to access the protected online user's account. Additionally, Kirshan at Figs. 9A and 9B do not contain any teachings regarding the fact that the portal of the present invention does not retain the user's portion of the generated password. 

Examiner respectfully disagrees. It is the secondary reference Hoey that is cited in the rejection for disclosing the user entering their own portion of the complete password. See previous office action at page 7, 3rd paragraph. Claim 9 does not require that ‘the portal of the present invention does not retain the user's portion of the generated password’ as argued by applicant. Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993).
Applicant further argues (page 10) that:

Additionally, amended claim 9 of the present invention very clearly states that "said user's portion of said password remains unknown to said portal”. Kirshan at paragraph 0044 clearly states "On clicking the "save" button, the password management platform 201 stores the generated unique secure random password in the database and associates the generated unique secure random password with the online account" thus teaching away from amended claim 9 of the present invention. Kirshan at paragraph 0068 teaches that "The password generation module 201d defines instructions for configuring a time interval for automatically generating the unique secure random passwords for each of the online accounts based on user preferences." This teaching is an automated method for updating the password for the user's accounts based on some preference. Amended claim 9 of the present invention contains no such user preference for triggering an automatic update of the password for the user's online accounts.

Examiner respectfully disagrees. Hoey, not Kirshan, is cited for disclosing said user's portion of said password remains unknown to said portal. The limitation said user's portion of said password remains unknown to said portal is interpreted to mean that the password is re-entered by the user in order for the system to generate the hybrid password based on the password; this is similar to the applicant’s specification description in the published application para. 19 and para. 20. Hoey, para 20 & 21, describes the random seed value may be produced when the user enters a password, then the random seed value may be combined with other attributes ((such as the password) prior to application of the algorithms or combination with the algorithms to generate new random generated password to access a resource. Kirshan’s teaching of storing the generated password does not teach away from said user's portion of said password remains unknown to said portal. Kirshan Para. 68 is cited for section c of claim 9, which recites the generating of different randomized portion. 

Applicant further argues (page 11) that:
As to Hoey paragraph 0020, Hoey teaches the use of a "random seed value" to the algorithm generating random numbers. Amended claim 9 of the present invention does not specify that the algorithm generating the portal's first password portion. The algorithm generating the portal's first password portion may be gathering the initial first portion from a website that provides the number of shares traded on the NYSE or a government website that provides the number of crossings at the Tajuana port of entry into the United States in either direction or each direction. The algorithm may then perform such operations as executing a two's complement of the numbers obtained or use them as an index into a UTF-16 table providing some 1,112,064 valid characters. This teaches away from Hoey at paragraphs 20 and 21 because amended claim 9 specifically does not claim the use of randomized seeds or randomized numbers. As to Hoey paragraph 21, Hoey is teaching that "Once the password is generated, the password generator 106 registers the generated password with a resource 108". Hoey at paragraph 21 also implies that "The operations of registration or logging onto a resource using the generated password may be carried out by the password generator 106 or may be carried out by independent and/or separate modules" which also implies that Hoey at paragraph 21 has prior knowledge of an online account's login process, password change process and/or other processes for every online service with is improbably at best. Amended claim 9 of the present invention makes no such teaching in amended claim 9 of the present invention.
The inventors respectfully submit that amended claim 9 of the present invention does not infringe on either Krishan figure 2 and figure 9B step 908 or Hoey paragraphs 20 and 21. 
	
Examiner respectfully disagrees. Claim 9, second to last line, as amended also involves randomization by reciting a different said first randomized portion. Amended claim 9 requires concatenation and merging, which is disclosed at Hoey para. 18, 20, and 21. The Hoey random seed value is a password portion generated by the portal website, and the Hoey password entered by a user is user’s portion password (para. 18, 20, and 21). Because the claim does not require any particular algorithm for generating the first password portion, the claim may read on any prior art algorithm that generates a password portion, so long as other requirements of claim 9 are satisfied. This means that claim 9 may read on an algorithm in the Hoey reference that uses random seed values. Hoey using random seed values does not “teach away” from the limitations of claim 9 since claim 9 reads on any algorithm for generating the first password portion. It does not matter if “amended claim 9 specifically does not claim the use of randomized seeds or randomized numbers” as argued by applicant. Examiner suggests that Applicant may choose to amend the claim to recite a specific algorithm for generating the first password portion that is not found in Hoey, and not broadly reciting a first algorithm that can read on any prior art algorithm, if such an amendment would be supported by the specification.
Regarding applicant’s argument of “prior knowledge of an online account's login process” in the reference, it does not matter what is probable or improbable in the reference. What is important is whether the limitations of claim 9 read on the disclosure of the reference. In claim 9, said user's portion of said password remains unknown to said portal is interpreted to mean that the password is re-entered by the user in order for the system to generate the hybrid password based on the password; this is consistent with the applicant’s specification in the published application para. 19 and para. 20. In the Hoey reference, the user submits the password and the system generates the new random generated password based on, among other things, the user-submitted password (para. 20). Amended claim 9 reads on the cited portions of the references.

CLAIM 10 
Regarding claim 10, Applicant argues (Remarks, page 12, bottom paragraph up to page 13, top paragraph) that the references cited in the previous rejection fail to disclose the newly amended claim features.  This argument is persuasive. Therefore, the rejections are withdrawn. However, upon further consideration, a new ground of rejection is made in view of Krishan in view of Hoey, in view Yun et al. U.S. Publication 20150121467 (hereinafter “Yun”). Yun discloses interspersing the characters of a password with verification string and random characters (para. 9, 47). The combination of the references discloses the limitations of claim 10.
Regarding applicant’s arguments (page 6, bottom paragraph, through page 8, top paragraph)  with respect to dependent claim 2, Applicant’s arguments are persuasive. Therefore, the rejections are withdrawn. New grounds of rejection are presented herein. Furthermore, the dependent claims inherit their respective limitations from the respective independent claims, and are therefore rejected for the same reasons as the respective independent claims.
The rejection(s) of claims under 35 U.S.C. § 112 are withdrawn in view of Applicant's amendments except as specifically set forth below.
Accordingly, Applicant's argument is persuasive with respect to claim 1-4, 6, and 10, the rejections are withdrawn, and new ground(s) of rejection are presented herein. Applicant’s argument is unpersuasive with respect to claim 9, and the rejection is maintained. Note that this action is made FINAL. See MPEP § 706.07(a).

	
	
	

Claim Rejections - 35 USC § 112(a)
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1-4 and 6 is/are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claim 1 recites “created by program code without the use of a pseudo random number generator or a seed number fed to a pseudo random number generator”.  The specification describes generating a randomized base password (e.g., para. 42, 43, 51 of the application publication US 20210064737 A1). The specification does not mention any random number generators or any alternative to random generation to generate a base password. Generating anything random in a computer would involve generating random bits, which are a random value generated by a random number generator. The specification also includes (e.g. para. 27)  a definition of base password (“Base Password: A programmatically generated password of one or more characters that can consist of capital or lower-case letters, numbers or symbols and is obfuscated or hidden when displayed to the account owner ") that encompasses numbers which are randomly generated. Note that the specification must specifically must explicitly provide support for the negative limitation. Dependent claims 2-4 and 6 inherit the limitations of claim 1 and are rejected for the same reasons.

Claim Rejections - 35 USC § 112(b)
	The following is a quotation of 35 U.S.C. 112(b):

(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 3, 6 and 9-10 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention. 
Claim 6 recites: “said online computer system”. There is a lack of antecedent basis for said online computer system.
Claim 9 is rejected as indefinite because it is narrative in form and replete with indefinite language. It contains too many grammatical errors and missing antecedent bases for terms to be understood.  In particular, excessive and inconsistent use of the words "said" and "first" have created, rather than dispelled, confusion.  The structure which goes to make up the device must be clearly and positively specified. The structure must be organized and correlated in such a manner as to present a complete operative device. The claim(s) must be in one sentence form only. Note the format of the claims in the patent(s) cited.
An examination of claim 9 reveals that applicant is unfamiliar with patent prosecution procedure. While an applicant may prosecute the application (except that a juristic entity must be represented by a patent practitioner, 37 CFR 1.31), lack of skill in this field usually acts as a liability in affording the maximum protection for the invention disclosed. Applicant is advised to secure the services of a registered patent attorney or agent to prosecute the application, since the value of a patent is largely dependent upon skilled preparation and prosecution. The Office cannot aid in selecting an attorney or agent.  A listing of registered patent attorneys and agents is available at https://oedci.uspto.gov/OEDCI/.  Applicants may also obtain a list of registered patent attorneys and agents located in their area by writing to the Mail Stop OED, Director of the U.S. Patent and Trademark Office, P.O. Box 1450, Alexandria, VA 22313-1450.
While the errors in claim 9 are too numerous to catalog, a few are noted individually below.
Claim 9 recites: “a different said first randomized portion of said websites said password portion” which makes the claim indefinite because claim 9 has been amended to remove the prior instance of the word randomized, so that said first randomized portion does not have antecedent basis. Also, it is not clear whether “said websites” refers to “a single website” or “said user’s website accounts”, and therefore lacks antecedent basis. Also, it is not clear whether “said password portion” refers back to “said first password portion” or is another password portion, and therefore lacks antecedent basis. For purpose of examination, the Examiner interprets the limitation as “a different first randomized portion of a website’s password portion.”

Claim 10 is also rejected because claim 10 inherits the limitations of claim 9 and is rejected for the same reasons as claim 9. Appropriate correction is required.
Claim Rejections - 35 USC § 103
	The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

	The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 (1966), that are applied for establishing a background for determining obviousness under 35 U.S.C. 103 are summarized as follows:
1. Determining the scope and contents of the prior art.
2. Ascertaining the differences between the prior art and the claims at issue.
3. Resolving the level of ordinary skill in the pertinent art.
4. Considering objective evidence present in the application indicating obviousness or nonobviousness.
	
	This application currently names joint inventors. In considering patentability of the claims the examiner presumes that the subject matter of the various claims was commonly owned as of the effective filing date of the claimed invention(s) absent any evidence to the contrary.  Applicant is advised of the obligation under 37 CFR 1.56 to point out the inventor and effective filing dates of each claim that was not commonly owned as of the effective filing date of the later invention in order for the examiner to consider the applicability of 35 U.S.C. 102(b)(2)(C) for any potential 35 U.S.C. 102(a)(2) prior art against the later invention.

	
Claims 1-4 is/are rejected under 35 U.S.C. 103 as being unpatentable over Liu et al. U.S. Publication 20210365546 (hereinafter “Liu”) in view of De Graaf et al. PCT 
Publication WO2006107201 (hereinafter “De Graaf”).

As per claim 1, Liu discloses 
A method whereby a hybrid password is formed by combining a programmatically generated base password created by program code without the use of a pseudo random number generator or a seed number fed to a pseudo random number generator with a user generated password or Personal Identification Number (PIN) used to access a computer system.  
(See figure 2 and figure 3 for the method
 programmatically generated base password created by program code without the use of a pseudo random number generator or a seed number fed to a pseudo random number generator =  ‘The character string may be programmatically generated, randomly generated, and so forth’ [Liu 0023]. Since programmatically generated and randomly generated are listed as a series of alternatives, programmatically generated in the Liu reference does not include randomly generated
hybrid password = first updated password [Liu 0023]
a user generated password = administrator password  [Liu 0023]
The claim does not clarify used to access. A password used to access a website is broadly interpreted to mean that the password is somehow involved in the process for accessing the computer, such as the password is submitted to the computer or that the password is used to generate other passwords for submission to the computer.
)
Liu  [0015]
Password update module 110 may generate the passwords by concatenating the primary password with a character string generated based on a respective password policy. For example, the password policy for the management engine BIOS extension (MEBX) password seeks a password including a lowercase letter and a number. Thus, the password update module may concatenate the characters “a1” to the primary password to generate a MEBX password that conforms to the password policy specified by the MEBX BIOS portion. 
Liu [0018]
While some examples herein describe generating and concatenating fixed character strings based on the password policy to the administrator password. In other examples, a random string of characters selected based on the password policy may be concatenated instead. 
Liu [0030]
administrator password update module may allow for modifying the administrator password to a new password requested by a user according to security rules specified in the BIOS.
Liu [0023]
Method 200 also includes generating a first updated password at 240. The first updated password may be generated by concatenating a character string to the administrator password. The character string may be generated based on a password policy for the first password. The character string may be concatenated as a prefix, a postfix, and so forth. The character string may be programmatically generated, randomly generated, and so forth.
Liu [0027]
set of updated passwords may be generated by concatenating respective character strings to the administrator passwords. 
Liu [0031]
Module password update module 430 may change members of the set of module passwords to the administrator password concatenated with character strings. This may be completed, for example, after the administrator password has been updated by administrator password update module 420. The character strings may be generated based on password polices associated with respective module passwords. By way of illustration, a password policy specifying that a password include a special character and a number may cause the character string “i” to be concatenated with the administrator password. 


	
However, Liu does not expressly disclose access an account located on an online website
De Graaf discloses that a password is used to access third-party online websites
(	 
De Graaf Page 7, lines 3-20 describes generating a password, also called an access code, which involves generating the composite password from 2 passwords, any one of these De Graaf passwords are used to access the application/website. Both the De Graaf component passwords used to generate the composite password and the composite password are used to access an account located on an online website, since the claim does not clarify the scope of used to access.
).
De Graaf Page 8, lines 16-31 The thus generated (access) code can finally be sent by means of program keystrokes to the application/website to which access is desired and for which the (access) code is required. … a program forming an embodiment of the present invention can provide for the transfer of the generated code to this input field. In order to further facilitate logging onto the application/website, an "Enter" keystroke can also be sent after the (access) code. 
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Liu with the technique for using a password (access code) to access a website of De Graaf to include access an account located on an online website.
One of ordinary skill in the art would have made this modification to improve the ability of the system to facilitate access to the website. The system of the primary reference can be modified so that the computing device (e.g., computer 600) is a portal facilitating access to third-party systems and the 3rd party system is a website requiring a password/access code for access.

As per claim 2, the rejection of claim 1 is incorporated herein. 
Liu discloses whereby the programmatically generated base password is created by an online computer system controlled by a software program 
( See Liu figure 6, para. 37, 38
online computer system controlled by a software program  = computer 600 
)
However, Liu does not expressly disclose whereby the programmatically generated base password is created by an online computer system controlled by a software program acting as a portal to other online password protected computer systems.  
De Graaf discloses  an online computer system controlled by a software program acting as a portal to other online password protected computer systems.  
De Graaf Page 8, lines 16-31 The thus generated (access) code can finally be sent by means of program keystrokes to the application/website to which access is desired and for which the (access) code is required. … a program forming an embodiment of the present invention can provide for the transfer of the generated code to this input field. In order to further facilitate logging onto the application/website, an "Enter" keystroke can also be sent after the (access) code. 
Page 7, lines 3-6 A software program as possible embodiment of the present invention preferably has priority over all programs running on a computer in the sense that when a program as embodiment of the method according to the invention is started

As per claim 3, the rejection of claim 1 is incorporated herein. 
However, Liu does not expressly disclose whereby the programmatically generated base password is unknown to the owner of an online portal account.  
De Graaf discloses the component passwords used to generate the access code is unknown to the owner of an online portal account.  
(
the owner of an online portal account is disclosed by, in  De Graaf, the third-party that owns the application/website to which access is desired. Claim 3 does not require that the owner is a person causing generating of the hybrid password, and only requires that the owner owns an online portal account, which means that the owner can be someone different than the person generating the hybrid password, such as the owner can be the 3rd party that owns the application/website to which access is desired. De Graaf Page 8, lines 16-31
)
De Graaf  7:10-20 having the program generate at least one (access) code. The program preferably automatically places a cursor in the box where the first password must be entered. The user types his/her first password using the keyboard, followed by pressing the "Enter" or "Tab" key or clicking in the (next) input field, for instance for the second password. In both cases the user can immediately enter the second password (possibly related to the application or website etc.). The input is now ended once again by pressing the "Enter" key or clicking on the button "Generate Password".
De Graaf Page 8, lines 16-31 The thus generated (access) code can finally be sent by means of program keystrokes to the application/website to which access is desired and for which the (access) code is required. … a program forming an embodiment of the present invention can provide for the transfer of the generated code to this input field. In order to further facilitate logging onto the application/website, an "Enter" keystroke can also be sent after the (access) code. 

It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Liu with the technique for providing only the generated access code to the application/website  of De Graaf to include 
whereby the programmatically generated base password is unknown to the owner of an online portal account.  
One of ordinary skill in the art would have made this modification to improve the ability of the system to ensure that the website only receives the final generated password, thereby reducing the chances of malicious 3rd parties reverse engineering to determine the component passwords used to generate the final password, which will compromise the password generating system. 

As per claim 4, the rejection of claim 1 is incorporated herein. 
The combined teaching of Liu and De Graaf discloses  whereby the programmatically generated base password and the user generated password or PIN shall be appended together and shall consist of a minimum of 2 characters.  
Liu 0023]
Method 200 also includes generating a first updated password at 240. The first updated password may be generated by concatenating a character string to the administrator password. The character string may be generated based on a password policy for the first password. The character string may be concatenated as a prefix, a postfix, and so forth. The character string may be programmatically generated, randomly generated, and so forth.


Regarding claim 6:
Claim 6 is/are rejected under 35 U.S.C. 103 as being unpatentable over Liu in view of De Graaf, further in view of Kurspahic et al. U.S. Publication 20160014110 (hereinafter “Kurspahic”).
As per claim 6, the rejection of claim 1 is incorporated herein. 
Liu discloses 
the user generated password or PIN [administrator password; see rejection of claim 1]
said online computer system controlled by a software program 
( See Liu figure 6, para. 37, 38
online computer system controlled by a software program  = computer 600 
)
However, Liu does not expressly disclose 
whereby the user generated password or PIN is never retained by said online computer system controlled by a software program acting as a portal to other online password protected websites.  

De Graaf discloses  said online computer system controlled by a software program acting as a portal to other online password protected websites.  
De Graaf Page 8, lines 16-31 The thus generated (access) code can finally be sent by means of program keystrokes to the application/website to which access is desired and for which the (access) code is required. … a program forming an embodiment of the present invention can provide for the transfer of the generated code to this input field. In order to further facilitate logging onto the application/website, an "Enter" keystroke can also be sent after the (access) code. 
Page 7, lines 3-6 A software program as possible embodiment of the present invention preferably has priority over all programs running on a computer in the sense that when a program as embodiment of the method according to the invention is started

It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified Liu with the technique for using a computing device as a portal to other online websites of De Graaf to include 
said online computer system controlled by a software program acting as a portal to other online password protected websites.  
One of ordinary skill in the art would have made this modification to improve the ability of the system to simplify access to websites via the computing device. The computing device of the Liu reference can facilitate management of passwords to other websites, as taught in the De Graaf reference.

However, the combination of Liu and De Graaf does not expressly disclose 
whereby the user generated password or PIN is never retained by said online computer system controlled by a software program acting as a portal to other online password protected websites.  
Kurspahic discloses performing a task that requires a password and then discarding the password
Kurspahic [0005]
the user's password may only be stored on the server side for a brief duration (e.g., between the time when password is received and the encrypted password is generated) and may be discarded permanently and securely, thereby ensuring secure protection of the user's password, even from unauthorized users of the secure storage system.
Kurspahic [0006]
With the password restored, the system may access the confidential information using the password as if it is entered by the user. Once the sensitive information is accessed, the password is discarded permanently and securely from the server. 

It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Liu and De Graaf with the technique for discarding a password after using the password to perform a task of Kurspahic to include 
whereby the user generated password or PIN is never retained by said online computer system controlled by a software program acting as a portal to other online password protected websites.  
One of ordinary skill in the art would have made this modification to improve the ability of the system to prevent malicious 3rd parties from gaining access to password data that is used to form a composite password. The system of the primary reference (e.g., multifactor password system 110) can be modified to discard password data for passwords that are used to form the composite password after use of the passwords. 

	Regarding claim 9:
	
Claim 9 is/are rejected under 35 U.S.C. 103 as being unpatentable over Krishan et al. U.S. Publication 20090150991 (hereinafter “Krishan”) in view of Hoey et al. U.S. Patent No. 20090150991 (hereinafter “Hoey”), further in view of Liu.
As per claim 9, Krishan discloses 
A method for limiting access by a bad actor gaining access to a first user's password to all websites where said user has an account to just a single website comprising: 
(
see, for example, Krishan para. 4, “hacked into” for disclosing bad actor
see, for example, the method depicted in Krishan figure 1, element 106, accessing online accounts using generated unique random passwords via password management platform
single website = Krishan password management platform, figure 1, element 101; figure 2, password management platform 201
all websites where said user has an account = “The online accounts are, for example, electronic mail (email) accounts, social networking accounts,…’ Krishan [0028]
a first user's password to all websites can be disclosed by ‘the term “user passwords” refers to passwords created by the user for accessing the online accounts’ [Krishan 0028]
)
Krishan [0004]
Most often users create generic passwords even for online accounts requiring high levels of security, which can easily be copied and/or hacked into, thereby compromising the security of the online accounts. … a need for a method and system that provides security to online accounts that are accessed through WiFi®. 
Krishan [0028]
 the term “user passwords” refers to passwords created by the user for accessing the online accounts. The password management platform generates 104 one or more unique secure random passwords to replace the user passwords for one or more of the online accounts, 
Krishan [0037]
FIG. 2 … password management platform 201 configured to generate and manage multiple passwords associated with multiple online accounts. The password management platform 201 is configured, for example, as a website 
Krishan [0045]
Clicking on the “change” button allows the user to change the password associated with the online account to the unique secure random password generated by the password management platform 201.
)
	a. a first online computer system acting as a first portal accessed by said first user to protect said first user's accounts accessible only through said first online computer system acting as said first portal where said first portal generates, via a first algorithm [para. 46 pseudocode], a ATTORNEY DOCKET NO. Invysta-Hybrid PassSerial No.: 16/947,938 different first password portion [Fig.2, Password management platform 201], and [Fig.9B, step 908, generate the unique secure random password for the online account].
Krishan [0037]
FIG. 2 … password management platform 201 configured to generate and manage multiple passwords associated with multiple online accounts. The password management platform 201 is configured, for example, as a website 
Krishan [0028]
 the term “user passwords” refers to passwords created by the user for accessing the online accounts. The password management platform generates 104 one or more unique secure random passwords to replace the user passwords for one or more of the online accounts, 
[0011]
the password management platform provides direct access to the online accounts using the user passwords or the generated unique secure random passwords.

c. said user enters the same said user's said portion of said password for any of said user's said website accounts without fear of a hacker being able to access more than one of said user's website accounts because said first portal has generated, via said first algorithm, a different said first randomized portion of said websites said password portion.
(The Krishan password generation module automatically generates the unique secure random passwords when the user tries to access the online accounts. That will make it difficult for the hacker or unauthorized to steal the correct user password to access the user accounts
said user enters the same said user's said portion of said password for any of said user's said website accounts = ‘user can then log into the online account for which the password was generated on the website that hosts the online account and change the password to the unique secure random password generated by the password management platform 201’ Krishan [0044]
Claim 9 recites: “a different said first randomized portion of said websites said password portion”.  For purpose of examination, the Examiner interprets the limitation as “a different first randomized portion of a website’s password portion.”
). 
Krishan para 0068: the password generation module 201d defines instructions for configuring a time interval for automatically generating the unique secure random passwords for each of the online accounts based on user preferences. The notification module 201g defines instructions for transmitting a pass word notification to each of the online accounts via the network 703 to replace the user passwords with the generated unique secure random passwords. 
Krishan [0044]
FIG. 4 exemplarily illustrates a graphical user interface (GUI) 201 a of the password management platform 201 shown in FIG. 2 and FIG. 7, displaying a unique secure random password generated by the password management platform 201 for an online account of a user. The password management platform 201 generates a unique secure random password for an online account, when the user clicks on the “create password” button on the “My Account” 204 interface exemplarily illustrated in FIG. 2, provided on the GUI 201 a. The password management platform 201 randomly generates a unique secure random password for an online account selected by the user. The user can then log into the online account for which the password was generated on the website that hosts the online account and change the password to the unique secure random password generated by the password management platform 201. The user then returns to the “My Account” 204 interface on the password management platform 201 and clicks a “save” button. On clicking the “save” button, the password management platform 201 stores the generated unique secure random password in the database and associates the generated unique secure random password with the online account.

However, Krishan does not expressly disclose 
generates, via a first algorithm, a ATTORNEY DOCKET NO. Invysta-Hybrid PassSerial No.: 16/947,938 different first password portion that remains unknown to said user 
b. said user enters said user's first portion of said password that is concatenated or merged into said first password portion generated by said first portal, said user's portion of said password remains unknown to said portal, 

Hoey discloses  
b. said user enters said user's first portion of said password that is concatenated or merged into said first password portion generated by said first portal, said user's portion of said password remains unknown to said portal,
(said user's portion of said password remains unknown to said portal is interpreted to mean that the password is re-entered by the user in order for the system to generate the hybrid password based on the password; this is consistent with the applicant’s specification in the published application para. 19 and para. 20.
Hoey, para 20 & 21, the random seed value may be produced each time the user enters a password, then the random seed value may be combined with other attributes prior to application of the algorithms or combination with the algorithms to generate new random generated password to access a resource 108. Examiner interprets the Hoey random seed value is a password portion generated by said portal website, and the Hoey password entered from a user is user’s portion of the password.
).
Krishan [0018]
Once authenticated a password generator 106 may produce a generated password. The password generator 106 accesses attributes to provide a seed that is used to produce the generated password. These attributes may be specific to the user. The specific attributes may be local or external attributes. Internal attributes may include, for example but not limited to, the user's entered password
Krishan [0020] a random seed value may be used as an attribute or in combination with other attributes. … The random seed value may be combined with other attributes prior to application of the algorithms or in combination with the algorithms. 

It would have been obvious to one of ordinary skill in the art before the effective filling date of the claimed invention to have combined Hoey’s invention for combining generated password with a user generated password or PIN with Krishan’s hybrid password because doing so enables the system to generate a hybrid password specific to a user each time a user attempts to access a resource and avoids having the system to store the hybrid password.

However, the combination of Krishan and Hoey does not expressly disclose 
generates, via a first algorithm, a ATTORNEY DOCKET NO. Invysta-Hybrid PassSerial No.: 16/947,938 different first password portion that remains unknown to said user 
Liu discloses 
generates, via a first algorithm, a ATTORNEY DOCKET NO. Invysta-Hybrid PassSerial No.: 16/947,938 different first password portion that remains unknown to said user 
( see also para. 10 “silently provided”, para. 16 “passively concatenated”
) 
Liu [0028]
Method 300 also includes providing the character string at 360. The character string may be provided upon detecting an attempt to access a resource secured by the first password. Providing the character string may facilitate granting access to the resource. The character string may be provided by, for example, silently concatenating the character string with an entered password
Liu [0023] The character string may be programmatically generated, randomly generated, and so forth.
It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Krishan and Hoey with the technique for silently concatenating the programmatically generated character string to the administrator password of Liu to include 
generates, via a first algorithm, a ATTORNEY DOCKET NO. Invysta-Hybrid PassSerial No.: 16/947,938 different first password portion that remains unknown to said user 
One of ordinary skill in the art would have made this modification to improve the ability of the system to prevent the user from obtaining knowledge of the generated portion of the composite password, which may prevent user errors such as the user inadvertently revealing the password to other parties by writing down the password. The system of the primary reference can be modified to add the generated portion of the password to the composite password, without revealing the generated portion of the password to the user.


Claim 10 is/are rejected under 35 U.S.C. 103 as being unpatentable over Krishan in view of Hoey, in view of Liu, further in view of Yun et al. U.S. Publication 20150121467 (hereinafter “Yun”).
As per claim 10, the rejection of claim 9 is incorporated herein. 
	However, the combination of Krishan, Hoey, and Liu does not expressly disclose 
where said portal merges said user's portion of said user's pin or user's password portion by interspersing said user's portion of said user's pin or user's password portion of said user's password into said first password portion.
Yun discloses interspersing the characters of a password with verification string and random characters
Yun [0047] FIG. 5 illustrates the use of representative character with the second prevention mechanism of a verification code. A verification code is a string of base characters generated by the server system and transmitted to the user for use in inputting a password. In accordance with embodiments of this invention, the verification code and password are included in the input string. In addition, as shown in FIG. 5, the input may include random characters inserted by the user. The characters of the password, verification code, and random character may be interspersed. All that is required is that the characters of the password and verification code appear in that same order as given. As illustrated in FIG. 5, user password 505 is "hello123", random characters 510 include "v9 slm0", and verification code 515 is "479625". Password 505, random characters 510, and verification code 515 are mixed to form resulting string 520 which is "v4he79ls9llo625m230". Although each of the components is interspersed, the order of each component remains the same. One skilled in the art will recognize that the user is free to make any number of different combinations as long as the order of characters in the password and verification code is maintained.
Yun [0009] The above and other problems are solved and an advance in the art is made by systems and methods provided by embodiments in accordance with the invention. A first advantage of a system and method embodying this invention is that the use of a verification code prevents an attacker from accessing the system if a password is determined through an attack. A second advantage of a system and method embodying this invention is that the user password is better protected from brute-force and key-capturing/tracking attacks. A third advantage is that the password is protected from discovery through the use of representative characters and the combination of the password, verification code, and possibly random characters in the input string. A fourth advantage is that a password does not have to be lengthy or random to prevent detection; 

It would have been obvious to a person having ordinary skill in the art before the effective filing date of the claimed invention to have modified the combination of Krishan, Hoey, and Liu with the technique for interspersing the characters of a password with verification string and random characters of Yun to include 
where said portal merges said user's portion of said user's pin or user's password portion by interspersing said user's portion of said user's pin or user's password portion of said user's password into said first password portion.
One of ordinary skill in the art would have made this modification to improve the ability of the system to prevent attackers from determining the password, and deterring brute force attacks. The system of the primary reference as modified by the teachings of Hoey and Liu, can be further modified to intersperse the characters of the password with the characters of the random seed value.
 
Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to HOWARD H LOUIE whose telephone number is 571-272-0036.  The examiner can normally be reached on Monday-Friday 9 AM-5 PM EST.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jung W. Kim can be reached on 571-272-3804.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/HOWARD H. LOUIE/Examiner, Art Unit 2494                                                                                                                                                                                                        
/THEODORE C PARSONS/Primary Examiner, Art Unit 2494