Web Page Password Capture and Evaluation

§103 §112

DETAILED ACTION The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the America Invents Act (AIA ). Response and Claim Status The instant Office action is responsive to the response received November 17, 2025 (the Response). In response to the Response, the previous (1) rejection of claims 8–12 and 14 under 35 U.S.C. § 112(b); (2) rejection of claims 1, 5–7, 13, and 14 under 35 U.S.C. § 102; and (3) rejections of claims 2–4, 8, 9, and 11–14 under 35 U.S.C. § 103 are WITHDRAWN. Claims 1–8 and 10–17 are currently pending. Information Disclosure Statement (IDS) The IDSs filed August 31, 2025; November 17, 2025; December 17, 2025; and December 19, 2025 each comply with the provisions of 37 C.F.R. §§ 1.97, 1.98 and MPEP § 609. The IDSs have been placed in the application file, and the information referred to therein has been considered. Response to Arguments Applicants’ arguments with respect to the rejection of (A) claims 1, 5–7, 13, and 14 under 35 U.S.C. § 102 as being anticipated by Belisario et al. (US 2014/0068733 A1; Feb. 27, 2013) (see Response 7); (B) claims 1, 13, and 14 under 35 U.S.C. § 103 as being obvious over Mehr (US 11,537,706 B1; Dec. 19, 2014) in view of Belisario (see Response 8); and (C) claim 9 under 35 U.S.C. § 103 as being obvious over Mehr in view of Belisario, and in further view of Reinhold (US 2017/0317828 A1; Apr. 25, 2017) (see Response 8) have been considered but are now moot. Specification The following is a quotation of 37 C.F.R. § 1.75(d)(1): The claim or claims must conform to the invention as set forth in the remainder of the specification and the terms and phrases used in the claims must find clear support or antecedent basis in the description so that the meaning of the terms in the claims may be ascertainable by reference to the description. The Specification is objected to under 37 C.F.R. § 1.75(d)(1) for failing to provide proper antecedent basis for “web analysis server” recited in claims 15–17. See MPEP § 608.01(o). Claim Rejections – 35 U.S.C. § 112 The following is a quotation of 35 U.S.C. § 112(b): “The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.” The MPEP recites “[d]uring examination, after applying the broadest reasonable interpretation consistent with the specification to the claim, if the metes and bounds of the claimed invention are not clear, the claim is indefinite and should be rejected.” MPEP § 2173.02(I) (citing In re Packard, 751 F.3d 1307, 1311 (Fed. Cir. 2014)). “For example, if the language of a claim, given its broadest reasonable interpretation, is such that a person of ordinary skill in the relevant art would read it with more than one reasonable interpretation, then a rejection under 35 U.S.C. 112(b) . . . is appropriate.” Id. See also id. § 2173.05(e)(discussing indefiniteness arising for terms lacking proper antecedent basis). Claims 15–17 are rejected under § 112(b) as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor regards as the invention. Claim 15, line 3, “the web analysis server” lacks clear antecedent basis. Claim 16, line 3; and claim 17, lines 2–3 by analogy. Claim Rejections – 35 U.S.C. § 103 The following is a quotation of 35 U.S.C. § 103 which forms the basis for all obviousness rejections set forth in this Office action: A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made. Belisario and Kim Claims 1, 5–7, and 13–17 are rejected under 35 U.S.C. § 103 as being obvious over Belisario in view of Kim (US 2015/0089228 A1; Sept. 23, 2014). Regarding claim 1, while Belisario teaches a method (fig. 6; ¶¶ 60–63) for protecting a client computer (fig. 1, item 100), which includes a processor (fig. 1, item 116) and a display (fig. 1, item 124), the method comprising: analyzing a web page (“In a first step 600, the browser plug-in monitors the browser activity or other activity of the user across multiple websites and accounts that may require a password.” at ¶ 60; fig. 6, item 600) that was downloaded to the client computer; identifying, by the processor, a password input field (“This can include monitoring the webpages and accounts accessed to determine if there is a password field to be completed by the user.” at ¶ 60; fig. 6, item 600) in the web page; capturing, after rendering the password input field to the display, an input (“in step 605, it is determined whether a password is being entered by the user.” at ¶ 60; fig. 6, item 605) to the password input field; evaluating the captured input against a specified password policy (“in step 625, that comparison is used to compute whether the password lacks strength.” at ¶ 61; fig. 6, item 625); and generating an alert (“processing continues to step 630 where a message is provided to the user explaining that the password is weak.” at ¶ 61; fig. 6, item 630) upon detecting a violation of the specified password policy, Belisario does not teach wherein the evaluating comprises applying a hash function to the captured input and conveying a result of the hash function to a password analysis server. Kim teaches applying a hash function (“applying a unidirectional hash function” at ¶¶ 50–51) to a captured input (“the user password” at ¶ 50; “the inputted password” at ¶ 51) and conveying a result of the hash function (“generate a hash value” at ¶¶ 50–51) to a password analysis server (“the web browser executed from on the client terminal 110 can transmit the hash value . . . to the server 120” at ¶ 52). It would have been obvious to one of ordinary skill in the art before the filing date of the invention for Belisario’s evaluating to comprise applying a hash function to the captured input and conveying a result of the hash function to a password analysis server as taught by Kim “to register a user account.” Kim ¶ 52. Moreover, “registering a user account may transmit the hash value obtained by applying a unidirectional hash function without directly exposing the user’s password, thereby preventing the password of the user account from being exposed even in the event of a pharming or phishing attack.” Id. ¶ 54. Regarding claim 5, Belisario teaches wherein the captured input comprises a captured password (“in step 605, it is determined whether a password is being entered by the user.” at ¶ 60; fig. 6, item 605). Regarding claim 6, Belisario teaches wherein evaluating the captured input against the specified password policy comprises searching for a specified substring (“each data item of the user can be compared in whole to all sequential parts of the password. For example, a data item of ABC may be found in a password of XABCYZ.” at ¶ 61) in the captured password, and wherein detecting the violation comprises detecting the specified substring in the captured password (“This comparison can be by using a black and white algorithmic test where any duplication of a data item by any part of the password is deemed weak.” at ¶ 61). Regarding claim 7, Belisario teaches wherein evaluating the captured input against the specified password policy comprises classifying, using a set of criteria (¶ 61), the captured password as either weak or strong (fig. 6, item 625; ¶ 61), and wherein detecting the violation comprises classifying the captured password as weak (Yes to fig. 6, item 625; ¶ 61). Regarding claim 13, Belisario teaches a client computer (fig. 1, item 100), comprising: a display (fig. 1, item 124); and one or more processors (fig. 1, item 116) configured to perform operations according to claim 1. Thus, references/arguments equivalent to those present for claim 1 are equally applicable to claim 13. Regarding claim 14, Belisario teaches a computer software product for protecting a client computer (fig. 1, item 100), which includes a display (fig. 1, item 124), the computer software product comprising a non-transitory computer-readable medium (fig. 1, item 128), in which program instructions are stored, which instructions, when read by a computer (fig. 1, item 100), cause the client computer to perform operations according to claim 1. Thus, references/arguments equivalent to those present for claim 1 are equally applicable to claim 14. Regarding claim 15, while the Belisario/Kim combination teaches wherein the evaluating the captured input against the specified password policy comprises conveying the result of the hash function to the password analysis server for the reasons discussed above with respect to claim 1, the Belisario/Kim combination does not teach encrypting the result of the hash function and conveying the encrypted result of the hash function to the password analysis server. Belisario teaches encrypting information (“The personal information may be encrypted” at ¶ 44). It would have been obvious to one of ordinary skill in the art before the filing date of the invention for the Belisario/Kim combination’s result of the hash function to be encrypted (and thus the conveying the result of the hash function to the password analysis server to be the encrypted result) as taught by Belisario for “securing this type of information.” Belisario ¶ 44. Moreover, “to determine whether software is authorized to access this information.” Belisario ¶ 39. Regarding claims 16 and 17, claim 15 recites substantially similar features. Thus, references/arguments equivalent to those present for claim 15 are equally applicable to claims 16 and 17. Belisario, Kim, and Magyar Claim 2 is rejected under 35 U.S.C. § 103 as being obvious over Belisario in view of Kim, and in further view of Magyar et al. (US 2019/0020646 A1; July 12, 2018). Regarding claim 2, while Belisario teaches wherein the steps of analyzing, identifying, capturing, evaluating and generating are performed by a web browser (fig. 3A, item 300; fig. 6, item 600) configured to download the web page (“Browser plug-in 320 may observe web pages being rendered and determine that certain fields require a password.” at ¶ 38), and to render the password input field (“This can include monitoring the webpages and accounts accessed to determine if there is a password field to be completed by the user.” at ¶ 60), Belisario does not teach the web browser being a browser extension for the web browser. Magyar teaches a browser extension for a web browser (“user 160 then opens the browser extension 152a within the web browser 152” at ¶ 30). It would have been obvious to one of ordinary skill in the art before the filing date of the invention for Belisario’s web browser to be a browser extension for the web browser as taught by Magyar to provide “an improved technique for providing federated login to a password vault.” Magyar ¶ 8. Belisario, Kim, and Litty Claim 3 is rejected under 35 U.S.C. § 103 as being obvious over Belisario in view of Kim, and in further view of Litty et al. (US 11,979,383 B1; May 3, 2021). Regarding claim 3, while Belisario teaches wherein identifying the password input field comprises identifying the password input field in the web page (“This can include monitoring the webpages and accounts accessed to determine if there is a password field to be completed by the user.” at ¶ 60; fig. 6, item 600), Belisario does not teach (A) wherein the web page comprises browser executable code and (B) identifying the password input field in the browser executable code. Litty teaches a web page comprising browser executable code (“web pages (e.g., comprising HTML . . .)” at 12:39–40); and identifying a password input field in the browser executable code (“identifying a password field is as an HTML <input> element with a ‘password’ attribute” at 28:21–22). It would have been obvious to one of ordinary skill in the art before the filing date of the invention for Belisario’s web page to comprise browser executable code and for Belisario’s identifying the password input field to be in the browser executable code as taught by Litty for providing “improvements to securing computing interactions (e.g., with browsers and websites).” Litty 1:39-40. Moreover, “for protecting a browsing session.” Id. 1:60–61. Belisario, Kim, and Lupien Claim 4 is rejected under 35 U.S.C. § 103 as being obvious over Belisario in view of Kim, and in further view of Lupien et al. (US 2017/0126653 A1; Oct. 30, 2015). Regarding claim 4, while Belisario teaches wherein identifying the password input field comprises identifying the password input field, Belisario does not teach (A) wherein the web page comprises browser executable code, and further comprising generating document object model (DOM) elements in response to executing the browser executable code; and (B) identifying the password input field in one or more of the DOM elements. Lupien teaches wherein a web page comprises browser executable code (“HTML of the web page” at ¶ 30), and further comprising generating document object model (DOM) elements (“Document Object Model (DOM) is a cross-platform and language-independent convention for representing and interacting with objects in HTML” at ¶ 14; “the HTML document has been parsed into the Document Object Model (DOM)” at ¶ 13) in response to executing the browser executable code; and identifying a password input field in one or more of the DOM elements (“the credential manager application finds a relevant field in the DOM for the web page” at ¶ 21; “DOM objects for a password field may be identified by a ‘type=password’ attribute.” at ¶ 21). It would have been obvious to one of ordinary skill in the art before the filing date of the invention for Belisario’s web page to comprise browser executable code, and further comprising generating document object model (DOM) elements in response to executing the browser executable code and for Belisario’s identifying the password input field to be in one or more of the DOM elements as taught by Lupien “for logging a user into the user’s online accounts using web pages received over the internet.” Lupien ¶ 3. Belisario, Kim, and Ryu Claims 8, 10, and 11 are rejected under 35 U.S.C. § 103 as being obvious over Belisario in view of Kim, and in further view of Ryu et al. (US 2021/0400032 A1; Nov. 25, 2020). Regarding claim 8, Belisario does not teach further comprising rendering a user identifier (ID) input field on the display, capturing an additional input to the user ID field, wherein the captured additional input comprises a captured user ID, and wherein evaluating the captured input comprises conveying, to the password analysis server, a tuple comprising the captured user ID and the captured password. Ryu teaches rendering a user identifier (ID) input field (fig. 6A, item 606) on a display (fig. 6A, item 604), capturing an additional input (fig. 6A illustrates “JOHNNYAPPLESEED@APPLES.COM” as being input into item 606) to the user ID field, wherein the captured additional input comprises a captured user ID (“JOHNNYAPPLESEED@APPLES.COM” input into item 606 is a captured user ID), and wherein evaluating the captured input comprises conveying (¶ 238), to a password device (fig. 1A), a tuple comprising the captured user ID and a captured password (fig. 6A, item 608). It would have been obvious to one of ordinary skill in the art before the filing date of the invention for Belisario to further comprise rendering a user identifier (ID) input field on the display, capturing an additional input to the user ID field, wherein the captured additional input comprises a captured user ID, and wherein evaluating the captured input comprises conveying, to the password device, a tuple comprising the captured user ID and the captured password as taught by Ryu to “improve device security.” Ryu ¶ 244. “Providing improved security enhances the operability of the device and makes the user-device interface more efficient (e.g., by restricting unauthorized access) which, additionally, reduces power usage and improves battery life of the device by limiting the performance of restricted operations.” Id. ¶ 245. The Belisario/Ryu combination does not teach the password device being a password analysis server. Belisario teaches a password analysis server (fig. 1, item 112). It would have been obvious to one of ordinary skill in the art before the filing date of the invention for the Belisario/Ryu combination’s password device to be a password analysis server as taught by Belisario “to prevent the unauthorized access of this sensitive information by software or persons through other software.” Belisario ¶ 39. Regarding claim 10, while the Belisario/Kim combination teaches wherein the evaluating the captured input against the specified password policy comprises conveying the result of the hash function to the password analysis server for the reasons discussed above with respect to claim 1, the Belisario/Kim combination does not teach encrypting the result of the hash function and conveying the encrypted result of the hash function to the password analysis server. Belisario teaches encrypting information (“The personal information may be encrypted” at ¶ 44). It would have been obvious to one of ordinary skill in the art before the filing date of the invention for the Belisario/Kim combination’s result of the hash function to be encrypted (and thus the conveying the result of the hash function to the password analysis server to be the encrypted result) as taught by Belisario for “securing this type of information.” Belisario ¶ 44. Moreover, “to determine whether software is authorized to access this information.” Belisario ¶ 39. Regarding claim 11, Belisario teaches wherein detecting the violation of the specified password policy comprises receiving an indication (yes to fig. 6, item 625; yes to fig. 6, item 645; fig. 7A, item 710; fig. 7B, item 760) from the password analysis server that the conveyed tuple comprises a compromised password (¶¶ 61–62). Belisario, Kim, Ryu, and Zhang Claim 12 is rejected under 35 U.S.C. § 103 as being obvious over Belisario in view of Kim, in further view of Ryu, and in further view of Zhang (US 2019/0347667 A1; May 14, 2018). Regarding claim 12, while Belisario teaches wherein detecting the violation of the specified password policy comprises receiving an indication (fig. 6, items 630, 645) from the password analysis server that the conveyed tuple comprises a weak password (“the password is deemed weak” at ¶ 61), Belisario does not teach the weak password being a duplicate password for a user referenced by the user ID. Zhang teaches a duplicate password (“upon determining that the second password is a duplicate of the first password, generating and communicating, with at least one processor, a duplicate password response” at ¶ 83) for a user (fig. 12 illustrates users such as “Suzanne C. Tony”) referenced by a user ID (fig. 12, item 246). It would have been obvious to one of ordinary skill in the art before the filing date of the invention for Belisario’s weak password to be a duplicate password for a user referenced by the user ID as taught by Zhang “for preventing duplicate processing of a payment transaction.” Zhang ¶ 1. Mehr, Belisario, and De Jonge Claims 1, 13, and 14 are rejected under 35 U.S.C. § 103 as being obvious over Mehr in view of Belisario, and in further view of De Jonge (US 2019/0220590 A1; PCT filed June 21, 2017). Regarding claim 1, while Mehr teaches a method for protecting a client computer (fig. 2, item 202), which includes a processor and a display, the method comprising: analyzing an interface (fig. 4, item 400) that was downloaded to the client computer (fig. 2, item 202); identifying, by the processor, a password input field (fig. 4, items 402, 404) in the interface; capturing, after rendering the password input field to the display, an input (“a customer, through use of the password input field 402, provides a set of credentials” at 11:64–65) to the password input field; evaluating the captured input against a specified password policy (“the authentication service may determine, through use of the password complexity analyzer, that the provided set of credentials are weak (e.g., lacks complexity, comprises known dictionary terms, is of a relatively short length, etc.)” at 11:65–12:2); and generating an alert (“The authentication service may provide the results of its analysis to the interface 400, which may display the relative strength of the proposed set of credentials within the password strength display field 406. Additionally, the interface 400 may provide additional output, such as utilizing the word ‘WEAK’ as displayed in FIG. 4.” at 12:2–8) upon detecting a violation of the specified password policy, Mehr does not teach (A) the interface being a web page; and (B) wherein the evaluating comprises applying a hash function to the captured input and conveying a result of the hash function to a password analysis server. (A) Belisario teaches a web page (“In a first step 600, the browser plug-in monitors the browser activity or other activity of the user across multiple websites and accounts that may require a password.” at ¶ 60; fig. 6, item 600). It would have been obvious to one of ordinary skill in the art before the filing date of the invention for Mehr’s interface to be a web page as taught by Belisario “to prevent the unauthorized access of this sensitive information by software or persons through other software.” Belisario ¶ 39. (B) De Jonge teaches applying a hash function (“apply a hash function to the original password” at ¶ 31) to a captured input (“web browser 210 may receive an original user password” at ¶ 31) and conveying a result (“to obtain the user password” at ¶ 31) of the hash function to a password analysis server (“Browser 210 is arranged to send the user password . . . to password generation device 100” at ¶ 31; “The password generation is an electronic device, for example, a computer such as a server” at ¶ 12). It would have been obvious to one of ordinary skill in the art before the filing date of the invention for Mehr’s evaluating to comprise applying a hash function to the captured input and conveying a result of the hash function to a password analysis server as taught by De Jonge so that “security of the password is increased.” De Jonge ¶ 90. Regarding claim 13, Belisario teaches a client computer (fig. 2, item 202), comprising: a display (fig. 2 illustrates item 202 comprising a display); and one or more processors (23:39–52) configured to perform operations according to claim 1. Thus, references/arguments equivalent to those present for claim 1 are equally applicable to claim 13. Regarding claim 14, Belisario teaches a computer software product for protecting a client computer (fig. 2, item 202), which includes a display (fig. 2 illustrates item 202 comprising a display), the computer software product comprising a non-transitory computer-readable medium (23:39–52), in which program instructions are stored, which instructions, when read by a computer (fig. 2, item 202), cause the client computer to perform operations according to claim 1. Thus, references/arguments equivalent to those present for claim 1 are equally applicable to claim 14. Conclusion Applicants’ amendment necessitated the new ground(s) of rejection presented in this Office action.1 Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). Applicants are reminded of the extension of time policy as set forth in 37 C.F.R. § 1.136(a). A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to § 1.136(a) will be calculated from the mailing date of the advisory action. In no event, however, will the statutory period for reply expire later than SIX MONTHS from the mailing date of this final action. Any inquiry concerning this communication or earlier communications from the Examiner should be directed to DAVID P. ZARKA whose telephone number is (703) 756-5746. The Examiner can normally be reached Monday–Friday from 9:30AM–6PM ET. If attempts to reach the Examiner by telephone are unsuccessful, the Examiner’s supervisor, Vivek Srivastava, can be reached at (571) 272-7304. The fax phone number for the organization where this application or proceeding is assigned is (571) 273-8300. Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system. Status information for published applications may be obtained from either Private PAIR or Public PAIR. Status information for unpublished applications is available through Private PAIR only. For more information about the PAIR system, see http://portal.uspto.gov/external/portal. Should you have questions about access to the Private PAIR system, contact the Electronic Business Center (EBC) at (866) 217-9197 (toll-free). Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, Applicants are encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice. /DAVID P ZARKA/PATENT EXAMINER, Art Unit 2449 1 The Examiner notes original claim 9 is not commensurate in scope with the amended limitation of claim 1. Notably, original claim 9 recites “applying a hash function to the captured password.” The amended limitation of claim 1 recites “applying a hash function to the captured input.” The captured input to the password input field may not be a password (and thus not a captured password). See claim 5. Moreover, original claim 9 depended from original claims 5 and 8, whereas amended claim 1 does not incorporate original claims 5 and 8. Thus, Applicants’ amendment necessitated the new grounds of rejection presented in this Office action.