Slashdot Mirror
IBM Applies for Password Manager Patent
An anonymous reader writes "As of August 21, IBM has applied for a patent on "A convenient and secure system and method for access to any number of password-protected computer applications, web sites and forms without adding to the user cognitive load and without circumventing the inherent security of such password-protection schemes. An existing password field on a device display is overlaid with password wallet pop-up field which allows a wallet "master" key to unlock the wallet. An application-specific and/or user-specific password is automatically retrieved from the wallet and entered into the password field with no other user action required." This isn't much different from Mozilla's "Master Password"."
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
Sounds alot like Apples' KeyChain to me.
SCO story... YAY IBM
Patent story... BOO IBM
do we like Apple today too? or is this an anti apple day? it's hard to keep up
Is IBM evil now, or still good. I need someone to root for in the whole SCO thing, but now that they're pulling patent BS like amazon, I don't know what I should do.
So baring that IE, Mozilla, Opera have prior art as well as all those 1000's of people who have written their passwords on Post-It notes and stuck them on their monitor I see no problem with this
Rus
Cheap UK and US VPS
This is also seen in Novell's "Secure Sign-on".
Keep Austin Weird!
Please try to remember that the abstract of a patent doesn't mean a single thing legally. It is just a short summary of the invention, nothing more. The claims are the only part of the patent that has any legal power, and since the poster failed to actually link to the patent or give us the patent number it is hard to say what this patent would cover.
Also try to remember that a patent is for a specific implemenation of an invention and does not cover the general idea of the invention itself. If this were granted it would be possible to come up with your own implementation for password management and not be infringing on the patent.
"I have a porkchop, you have a porkchop. I have a veal, you have a veal".
IBM has always done crap like this, this is no different. Think they are great when they help you fight your enemys, fight hard when they are your enemy.
and he called it "Password Safe".
Said another way, IBM having the patent just prevents some VC-backed cyber squatter patent the idea and then demand royalties from everyone under the sun.
Sig (appended to the end of comments you post, 120 chars)
http://plan9.bell-labs.com/sys/doc/auth.html
The Fourth Edition of Plan 9 includes a substantially reworked security architecture, described in the USENIX Security 2002 conference paper [html, ps, pdf] by Russ Cox, Eric Grosse, Rob Pike, Dave Presotto, and Sean Quinlan.
One particular aspect that other operating systems may wish to adopt is our single-signon solution. A process called factotum is used to hold credentials like passwords and public/private keypairs and perform cryptographic operations. Factotum allows clients to speak a variety of cryptographic protocols and therefore legacy application servers can participate in our single-signon system without change and without even knowing it exists.
The factotum has no direct permanent storage, but rather fetches credentials at startup from a secstore server on the network. To authenticate safely with the secstore, Password Authenticated Key-exchange is used; this implies that the user just has to remember and type one password and passive eavsdroppers or even active malicious intermediaries can not launch even a dictionary attack against the system. The credentials are encrypted for storage on secstore, so even an administrator there would have difficulty reading them.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
The person who allowed the patent at the patent office should personally be responsible for any prior art they find afterwards. This person should be obligated to eat a copy of all specifications of prior art available. Either they would learn to appreciate and to digest cellulose or they would take a closer look at the papers they sign.
So the question is does IBM have a new and unique way of doing password management.
OK so Im not 100% clued up on how patents are accepted, and yes I know this one hasnt yet but Im willing to bet my left pinky it will.. but isnt there some kind off group of experts in the computing field that overlook these before there granted? there dosnt seem to be.. but just how hard would it be to actualy have people who have a broad knowledge of current technologies to make sure blatern pria art isnt being stood on.. the patent office sure as hell charges enough for them, so why are they doing such a bad job??
moo
Used to have password keeping features, I believe, and allowed you to restrict access with a master password.
[sarcasm]
The innovation is killing me!
[/sarcasm]
It seems to me that since this is merely an application for a patent, and since supposedly those who will pass judgement on its patentability are also those who are supposed to seek prior art, then why don't we just send the Patent Office some emails specifying IBM's application, and providing them with evidence of prior art?
Perhaps we should pay attention to other equally annoying Patent-Applied-For notions, and thereby stop a whole slew of stupid patents.
You can't look at the name of a patent to know what they're patenting. It's called a "Patent title" and has no bearing on what the claims contain. I can't stand any of you people. Every single time one of you kiddies does a search on the USPTO's site and find something that remotly sounds like something that already exists you come here and post it. I can't believe slashdot lets such stupid articles get posted.
Comanies:
SCO: DC 30
IBM: DC 10
Microsoft: DC 20
Amazon: DC 15
MPAA / RIAA: DC 30
Apple (If you use Macs): DC 5
Apple (otherwise) : DC 15
RedHat: DC 5
Disney: DC 15
US Government: DC 20
Other Government: DC 10
Modifiers:
Is switching to linux: -20
Is switching from linux: +15
Is going after Microsoft: -10
_____ vs. SCO : -20
Files a BS patent: +10
Is being investigated by the US government for anti-trust or Fraud: -5
In this case, we have IBM, a DC 10 check. We add a +10 Filing BS patent modifier, and we realize that we'll have to roll a natural 20 to make this check. I rolled a 18, so while I come close to supporting them, I just can't and decide to waste a bunch of my time making these charts instead.
SCO story... YAY IBM
Patent story... BOO IBM
do we like Apple today too? or is this an anti apple day? it's hard to keep up
They're all Corporate Scum!
Stuff like this is good for us /.'ers once in awhile. It helps us snap out of the whole 'ibm-is-a-good-guy/on-our-side' romanticism. There are parts of IBM who's goals line up with ours very well, and there are parts that don't even come close. IBM is too big and diversified to have any sort of character assigned to it.
> Is IBM evil now, or still good.
Originality: F
Cleverness: F
Redundancy: A+
they are talking more about the user interface....
A password field pops up in an application. their software pops up a dialog right over top, and asks you for the master password. It then finds your password and fills in the box.
visually, it makes more sense.
It is obvious the folks at IBM don't use Mozilla. :)
Cool...
can you point me to the software that will pop up a password request box overliad over the real box on, say, slashdot? Or mozilla mail? Will it work with my other applications too?
This isn't just about filling in forms or passwords automatically, it's about the user interface for doing so.
The windows password list and the initial sign in would seem to be prior art.
Gator is Spyware. n/t
I will keep replying until you idiots stop moderating me down.
While not a true PDA, i used a casio databank thingie nearly 10 years ago for this exact thing..
Does that mean i get to sue IBM too? Cool!
---- Booth was a patriot ----
who cares? it got moderated back up again.
Since our patent system is archaic and in the need of a overhaul I think IBM's motivation here might be to secure a defensive patent so that if they deploy said system than some yahoo, sensing deep pockets, does not come out of the woodwork try to collect a huge licencing fee.
I am sure MS wish they would have filed for a patent for extending their own browser. I would not doubt that it never occurred to them that such an obvious next step was patentable.
I fail to see how it's different from SASL and Kerberos.
Less is more !
Remember, IBM has a huge patent portfolio and probobly owns patents to toms of stuff that is in widespread use, but doesn't bring out the guns except against companies like SCO. Hopefully this will be another of those.
Of course if they enforce it i'll be pissed
As much as i despice patents on methods of accomplishing common tasks like theese i rather see a patent like this in the hands of IBM than to be bitchslapped by Microsoft with it. IBM has shown themselves quite understanding about the hows and whys of open source and wouldn gain anything by using it against OS. Commercial companies on the other hand should beware.
Whether or not we like patents it is rather nice having the company with the most patents in the industry on our side.
And i dont think IBM is evil at all and not even historically. When MS have fought tooth and nail IBM did give us the PC albeit reluctantly and under threat. Microsoft did the opposite and destroyed their own product just to keep the competition away.
HTTP/1.1 400
Um, no it doesnt.
My original post is still sitting as (Score:-1, Offtopic)
execrable?
they're both too 'big' to be practical/survive.
we can get buy without either/both?
some things just can't be 'fixed'?
failure to adjust/adapt to the creators' mandate to care about/for each other, could result in planet/population decimation?
you know who to consult with/trust in on this won?
It had them all beat (unfortunatly).
or something like that?
you morons do not appear to have the desired respect for yOUR corepirate eyecons, & their owned propertIEs.
mynuts won: delete the riff-raff, so all of us can get back to pretending to be phonIE ?pr? ?firm? scriptdead payper liesense stock markup billyonerrors ?again?
here is a mirror of the article since its slashdotted
Doesn't it sound a whole lot like ssh's passphrase?
Other patents by the same person
They seem to include such revolutionary ideas as scroll bars and window resizing
Points 10 - 13 explain what it is they are 'inventing' that is different from existing schemes. They list IE's auto complete, and say it has a failing in that anyone using the computer can autocomplete the form (thus it is not very secure), they mention quicken having a very similar method of requiring one master password to complete any password diaglog, but say that it is not ideal because the API is closed for quicken's exclusive use.
The crux of their solution is that they want to make a generic API that allows their 'invention' to provide a password where requested to any application, browser window or similar.
Of course, as other people have already pointed out, this too has already been done. Novell's single-signon pops to my mind, and I'm sure a lot of other people have done this as well.
What are you smoking pcp? OK just propagate some more propaganda that people who smoke pot are completely stupid. Don't mean to be anal but it's more likely that a drunk person does something stupid than pot and you're not going to get jail time for having a beer, unless you do something stupid (likely). So please consider the sensibilities of all the people unjustly in jail for mere pot possession or use. If your're going to make fun of people for being stupid and need to blame it on a controlled substance, blame alcohol (legal) or pcp (no debate on it's harmfulness).
use my non-whore AOL News link instead: click here
come anywhere near my kids or my property and I'll shoot you..
This canard, repeated in Slashdot with the frequency of a Bush press release on Fox News, just isn't the case. It does not become more true upon repetition.
Prior art is defined by statute, and the USPTO has no discretion to distinguish between patent and non-patent prior art. The USPTO searches not only the corpus of patent art, but also many commercial and generally available databases of non-patent prior art. Patent claims are frequently (and in some cases famously) refused in view of non-patent prior art.
Singificantly, if you are aware of patent prior art for a published application, there are vehicles by which you may make the art a matter of record. Finally, if a patent issues with respect to which you are aware of prior art (patent or non-patent) raising a substantial new question of patentability, you may either file yourself or bring it to the attention of the Commissioner who may, in his discretion, bring his own reexamination proceeding. Again, patents have been rescinded famously in view of non-prior art in this manner as well (Compton's for example).
The key behind the patent seems to be (from the summary--the actual link doesn't seem to be working) that the user types the master password into the same space where the original password went. Current keychains use a separate dialog box.
Does it have prior art? I really don't know. Is it a silly patent? You bet. But thanks to its patent portfolion, IBM can beat up SCO and hold Microsoft at bay. Until software patents are abolished, companies need to keep applying for this kind of stuff.
.... it's called LDAP.
With a sweet-sounding name like that, no wonder it never
took off.
Don't start slapping IBM and putting on your tinfoil hats people. If IBM doesn't patent this, chances are someone else will, and then sue IBM. Yes, it might be the most obvious thing in the world, and I hate myself for not applying for this patent myself, but in the hands of IBM, it's more or less safe. IBM's not going to sue anyone unless they start spewing FUD like SCO. Hell, I'd prefer this patent in the hands of MS than in anybody SCO-like. Say what you want about MS, but they have tons of patents as well, but they're very lax about enforcing them. Better a patent with IBM/MS than with someone like SCO or Eolas.
Not only is it "not spyware", but now it's prior-artware too!
0 1 - just my two bits
It's repeated so often because the evidence makes it seem true. Perhaps the USPTO is behaving illegally, but we have no grounds to sue them. (And anyway, you can only sue the feds if they agree to allow you to. It's in the constitution.)
It would only be legitimately called a canard if it were false, e.g., if I said they never checked any sources for prior art. I'm sure they must. Probably.
I think we've pushed this "anyone can grow up to be president" thing too far.
If you actually read the patent application, you'll see that they are patenting something much more narrow than you think.
IBM is attempting to patent a UI hack that will detect a signon request from a website or other application, and superimpose their master signon dialog. They are NOT attempting to patent the ideas that are covered by Keychain or Mozilla's autofill. By superimposing their own "widget" exactly where the application specific logon would be, this master signon system preserves the flow of the application UI.
By comparison, the Keychain and autofill solutions can be more intrusive, and can be less secure. IBM's master signon would be entered every time I need to signon. I'd only need to remember one password. By comparison, Keychain and autofill don't require one to log into each application. An office worker can walk away from their desk without locking their screen saver and someone can use their accounts.
Well, I can think of a couple of other pieces of prior art:
1. Mac OS keychain
This one goes back to Mac OS 7.5 (circa 1994-95). It has all of the functionality described in this high-level description.
2. Quicken Vault
Don't know how long it has been around, but it sure sounds like it provides this functionality to me.
Yours,
Jordan Dea-Mattson
For those who tried to follow the (broken) link, I looked this up. It's U.S. published application number 220030159071, which was published on August 12, 2003 and originally filed on Feb. 21, 2002.
This is merely a PUBLISHED PATENT APPLICATION, not a PATENT. There is no indication that the application has as yet been examined. The most that can be said is that IBM has asked to patent what is claimed. Whether it will be allowed, amended, etc., remains to be seen. Anyway, this is claim 1, which is representative of what IBM is going after in this patent:
1. A method within a computing platform of graphically providing a secure field value retrieval and entry, wherein said computing platform includes a display device, a field activation device and a user selection device, said method comprising: displaying a user dialogue to receive a master key value from a user responsive to activation of a field; receiving a computing context indicator regarding the context of said activated field; determining said master key value is a correct master key value; retrieving a field value from a secure field value store which is associated with said computing context, said activated field and a user identification; and automatically entering said retrieved field value into said activated field.
Maybe the examiner will find the good prior art, or maybe even IBM will be good enough to cite it themselves. In any event, what would be NICE, rather than relying merely on the effectiveness of the examiner and the bona fides of the applicant, would be a mechanism to take comments from the public on pending patent applications after they are published and after (or maybe even before) they are examined. This is (more or less) how it works in most other countries (it's called "opposition"), and variations of this approach have been suggested many times in this country and repeatedly shot down or watered down to the point of being useless. Now the Federal Trade Commission is jumping on this as well (it is one of their recebnt suggestions), but it will probably get nowhere because the small inventor lobby (decidedly NOT the IBMs of the world) is too strong.
IBM, as some other poster has pointed out, has been pretty much a model citizen in the patent world.
One of the biggest problems is that large companies can bankroll the filing of numerous frivolous patents, to increase the noise (in the signal-to-noise ratio) at the patent office. Therefore, should the laws be changed so that:
1) If you file between 1 and 7 patents per year, each patent is the current price, which I call the "base-price".
2) If you file between 8 and 14 patents per year, each of these additional patents starting with the eighth will cost DOUBLE the base-price.
3) If you file between 15 and 28 patents per year, these additional patents will each cost TRIPLE the base-price (you still have to have paid DOUBLE the price for the eighth through the fourteenth, as well as the base price for the first through the seventh).
4) Etc, etc.
This will keeps it fair for the little inventor working alone in the basement, who I imagine would have difficulty coming up with seven honestly good quality patents in a year. If a large corporation can afford to employ many inventors, then it should be able to afford the more expensive fees, but will also have an incentive to save money. Furthermore, the patent office gets way more money, ostensibly to hire more patent clerks who can do a good job of rejecting the baddies.
the consitution does not mention civil suits against the govt.
twit
With the introduction of OS X Apple introduced KeyChain which does this as well. When will the patent everything someone else already implemented mess end?
Later,
Phil
But how can it not be true? The poster used the word "said" instead of the word "the". Everyone knows that only lawyers use the word "said" -- he must know what he's talking about.
Buy Steampunk Clothing Online!
1. Steal someone's unpatented invention
2. Patent it yourself
3. Get patent granted...It's easy to do! After all, the patent office is so clueless they would probably issue a patent for: "Brown 25 Organic Lubricant" (see: "The Kentucky Fried Movie") these days.
4. ????
5. Profit!
Specifically, the way virtually all Windows applications ask users for passwords is by creating an edit control with a particular window style, ES_PASSWORD, which is what makes "*"s appear instead of the password's characters. A password-wallet-type hack would hook dialog creation, and scan for edit controls with that flag set. If found, it could use the app name, dialog caption, and possibly control ID as a key to look up the appropriate password entry in some database. It would hide the ES_PASSWORD control and overlay it with one of its own to collect and verify the wallet password, then pump the appropriate real password into the dialog's original control.
No changes to the password-protected application required. I suspect a similar approach could be taken in MacOS, but it's been a long time since I programmed that :-)
I think IBM does have a case here ... a login pops-up that override all logins is very 'original'.
... not invited)
Anyone for a "generic pops-up/banner" mechanism for browser/OS that replaces all pops-up/banner ads?
Or a spam filter that replaces all spams?
Or the *V$ sitefinder* patent?
Anyone? (M$, $CO & V$
You may continue to believe what you read on Slashdot all you like, but it just isn't so. Read some patents, read the citations, and note that you will find cited non-patent prior art. How do you think that gets there? By accident?
And, by the way, there are a kazillion remedies available to you if the USPTO issues a bad patent short of full-scale litigation. If you actually have killer prior art, just file for reexamination, and it would be a matter of course.
Patents inherently aren't bad. But is the Examiners who have just a little time to find prior art, and the pressure to crank out mroe patents that makes it bad. Otherwise, why are patents a problem only in software and not in chip business or say LCD business? The examiners who examine the computer science patents IMHO have no clue about the art there. To know art in comp sci you need to have been around at least since 1985 and track all developments. www.spi.org is an effort in this direction. Let's see how future examiners do a better job. This is not to generalize, some comp sci Examiners are real smart too.
It appears to be a rip-off of RoboForm... Their password management solution does exactly what this patent states, and then some. Free too! There is prior art going back even before roboform (this program is in version 5.+ so has been around for years) ... one only needs to look at discussions by the www3 to see lots of early talk about this sort of thing...
Any kind of password keeper that a web interface would implement. It isn't exactly what i call inovative...
Or you could work to inform people about people about the problem with so-called software patents thus helping them understand why nobody should have them.
Just because you may avoid an infringement lawsuit doesn't mean you are being helped. Cross-licensing with IBM (or some other big patent holder) means you lose the exclusivity the patent system was built to create. If your product was built on these patents, you now have a potential competitor. This informative summary of a point raised in an old "Think" magazine article is telling:
Any big patent holder likes cross-licensing more than litigation because litigation is more risky than getting the competitive patent holder's permission in a contract. But this strategy can only work for large patent holders--any smaller patent holder cannot cross-license to avoid patent infringement lawsuits because they don't have the war chest of patents to work with.
Software patents are bad for anyone that isn't IBM. It would be reasonable to estimate the threat and harm they pose is inversely proportional to the number of patent one holds. This is not a reasonable way to do business in the field of computer software development. We all should work for bringing an end to this collective threat, not take solace in that we're likely to avoid a trip to court.
Digital Citizen
Bruce Schneier's Password Safe.
Add the USPTO and a ridiculous, unfair lawyer-feeding patent system to rigged elections, corporate media, corporate corruption, colonial adventurism, a military disaster, arrogance and ignore, and you have one superpower imploding. Last month China launched a rocket into space and bought it's astronaut back safely. What have you done lately? Lift your game American, or welcome your new overlords!
Goes to show bad ideas can go to worse...
Boy., I get an idea. I think I'll patent the art of reading& writing. No one patented it before (though 80% of the world knows how to do it). OK everybody listen to this., "any body who plan to read or write any text gotto send me $10 and get written permission to write". Aint I a genuis??? (following the path of IBM) :|
You appear to be right. I would have sworn that it did, and don't know what that memory was referring to.
I think we've pushed this "anyone can grow up to be president" thing too far.
To do it any other way would be idiotic anyways. It's bad enough that one has to fight with a bunch of "visible" patents when bringing out a product, could you imagine fighting "invisible" ones.
If you bring out product X, then if you do a thourough search for any product ABC patenting X's technology/etc, or just prior art before patenting X yourself, you should be able to feel reasonably secure.
Finding out that some cash-grubbing university who ripped an idea from a student's work (and no, they shouldn't have rights to the students' work anyways) has invalidated your patent would be insane. The patent system needs to be fixed, but at least it's not allowing people to hide their work until a profiting idea springs from similar roots.
IMO, IBM are doing the right thing in many areas, but their patent policy (apply and apply for anything) seems to be out of control.
Display Cases