Slashdot Mirror
IBM Applies for Password Manager Patent
An anonymous reader writes "As of August 21, IBM has applied for a patent on "A convenient and secure system and method for access to any number of password-protected computer applications, web sites and forms without adding to the user cognitive load and without circumventing the inherent security of such password-protection schemes. An existing password field on a device display is overlaid with password wallet pop-up field which allows a wallet "master" key to unlock the wallet. An application-specific and/or user-specific password is automatically retrieved from the wallet and entered into the password field with no other user action required." This isn't much different from Mozilla's "Master Password"."
"BSD: Free as in speech. Linux: Free as in beer. Windows 10: Free as in herpes." --Man On Pink Corner in #52607549.
SCO story... YAY IBM
Patent story... BOO IBM
do we like Apple today too? or is this an anti apple day? it's hard to keep up
This is also seen in Novell's "Secure Sign-on".
Keep Austin Weird!
Please try to remember that the abstract of a patent doesn't mean a single thing legally. It is just a short summary of the invention, nothing more. The claims are the only part of the patent that has any legal power, and since the poster failed to actually link to the patent or give us the patent number it is hard to say what this patent would cover.
Also try to remember that a patent is for a specific implemenation of an invention and does not cover the general idea of the invention itself. If this were granted it would be possible to come up with your own implementation for password management and not be infringing on the patent.
"I have a porkchop, you have a porkchop. I have a veal, you have a veal".
and he called it "Password Safe".
Said another way, IBM having the patent just prevents some VC-backed cyber squatter patent the idea and then demand royalties from everyone under the sun.
Sig (appended to the end of comments you post, 120 chars)
http://plan9.bell-labs.com/sys/doc/auth.html
The Fourth Edition of Plan 9 includes a substantially reworked security architecture, described in the USENIX Security 2002 conference paper [html, ps, pdf] by Russ Cox, Eric Grosse, Rob Pike, Dave Presotto, and Sean Quinlan.
One particular aspect that other operating systems may wish to adopt is our single-signon solution. A process called factotum is used to hold credentials like passwords and public/private keypairs and perform cryptographic operations. Factotum allows clients to speak a variety of cryptographic protocols and therefore legacy application servers can participate in our single-signon system without change and without even knowing it exists.
The factotum has no direct permanent storage, but rather fetches credentials at startup from a secstore server on the network. To authenticate safely with the secstore, Password Authenticated Key-exchange is used; this implies that the user just has to remember and type one password and passive eavsdroppers or even active malicious intermediaries can not launch even a dictionary attack against the system. The credentials are encrypted for storage on secstore, so even an administrator there would have difficulty reading them.
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
The person who allowed the patent at the patent office should personally be responsible for any prior art they find afterwards. This person should be obligated to eat a copy of all specifications of prior art available. Either they would learn to appreciate and to digest cellulose or they would take a closer look at the papers they sign.
So the question is does IBM have a new and unique way of doing password management.
Comanies:
SCO: DC 30
IBM: DC 10
Microsoft: DC 20
Amazon: DC 15
MPAA / RIAA: DC 30
Apple (If you use Macs): DC 5
Apple (otherwise) : DC 15
RedHat: DC 5
Disney: DC 15
US Government: DC 20
Other Government: DC 10
Modifiers:
Is switching to linux: -20
Is switching from linux: +15
Is going after Microsoft: -10
_____ vs. SCO : -20
Files a BS patent: +10
Is being investigated by the US government for anti-trust or Fraud: -5
In this case, we have IBM, a DC 10 check. We add a +10 Filing BS patent modifier, and we realize that we'll have to roll a natural 20 to make this check. I rolled a 18, so while I come close to supporting them, I just can't and decide to waste a bunch of my time making these charts instead.
they are talking more about the user interface....
A password field pops up in an application. their software pops up a dialog right over top, and asks you for the master password. It then finds your password and fills in the box.
visually, it makes more sense.
Points 10 - 13 explain what it is they are 'inventing' that is different from existing schemes. They list IE's auto complete, and say it has a failing in that anyone using the computer can autocomplete the form (thus it is not very secure), they mention quicken having a very similar method of requiring one master password to complete any password diaglog, but say that it is not ideal because the API is closed for quicken's exclusive use.
The crux of their solution is that they want to make a generic API that allows their 'invention' to provide a password where requested to any application, browser window or similar.
Of course, as other people have already pointed out, this too has already been done. Novell's single-signon pops to my mind, and I'm sure a lot of other people have done this as well.
This canard, repeated in Slashdot with the frequency of a Bush press release on Fox News, just isn't the case. It does not become more true upon repetition.
Prior art is defined by statute, and the USPTO has no discretion to distinguish between patent and non-patent prior art. The USPTO searches not only the corpus of patent art, but also many commercial and generally available databases of non-patent prior art. Patent claims are frequently (and in some cases famously) refused in view of non-patent prior art.
Singificantly, if you are aware of patent prior art for a published application, there are vehicles by which you may make the art a matter of record. Finally, if a patent issues with respect to which you are aware of prior art (patent or non-patent) raising a substantial new question of patentability, you may either file yourself or bring it to the attention of the Commissioner who may, in his discretion, bring his own reexamination proceeding. Again, patents have been rescinded famously in view of non-prior art in this manner as well (Compton's for example).
If you actually read the patent application, you'll see that they are patenting something much more narrow than you think.
IBM is attempting to patent a UI hack that will detect a signon request from a website or other application, and superimpose their master signon dialog. They are NOT attempting to patent the ideas that are covered by Keychain or Mozilla's autofill. By superimposing their own "widget" exactly where the application specific logon would be, this master signon system preserves the flow of the application UI.
By comparison, the Keychain and autofill solutions can be more intrusive, and can be less secure. IBM's master signon would be entered every time I need to signon. I'd only need to remember one password. By comparison, Keychain and autofill don't require one to log into each application. An office worker can walk away from their desk without locking their screen saver and someone can use their accounts.
For those who tried to follow the (broken) link, I looked this up. It's U.S. published application number 220030159071, which was published on August 12, 2003 and originally filed on Feb. 21, 2002.
This is merely a PUBLISHED PATENT APPLICATION, not a PATENT. There is no indication that the application has as yet been examined. The most that can be said is that IBM has asked to patent what is claimed. Whether it will be allowed, amended, etc., remains to be seen. Anyway, this is claim 1, which is representative of what IBM is going after in this patent:
1. A method within a computing platform of graphically providing a secure field value retrieval and entry, wherein said computing platform includes a display device, a field activation device and a user selection device, said method comprising: displaying a user dialogue to receive a master key value from a user responsive to activation of a field; receiving a computing context indicator regarding the context of said activated field; determining said master key value is a correct master key value; retrieving a field value from a secure field value store which is associated with said computing context, said activated field and a user identification; and automatically entering said retrieved field value into said activated field.
Maybe the examiner will find the good prior art, or maybe even IBM will be good enough to cite it themselves. In any event, what would be NICE, rather than relying merely on the effectiveness of the examiner and the bona fides of the applicant, would be a mechanism to take comments from the public on pending patent applications after they are published and after (or maybe even before) they are examined. This is (more or less) how it works in most other countries (it's called "opposition"), and variations of this approach have been suggested many times in this country and repeatedly shot down or watered down to the point of being useless. Now the Federal Trade Commission is jumping on this as well (it is one of their recebnt suggestions), but it will probably get nowhere because the small inventor lobby (decidedly NOT the IBMs of the world) is too strong.
IBM, as some other poster has pointed out, has been pretty much a model citizen in the patent world.
You may continue to believe what you read on Slashdot all you like, but it just isn't so. Read some patents, read the citations, and note that you will find cited non-patent prior art. How do you think that gets there? By accident?
And, by the way, there are a kazillion remedies available to you if the USPTO issues a bad patent short of full-scale litigation. If you actually have killer prior art, just file for reexamination, and it would be a matter of course.