I always enjoy browsing through password-related patents to see all the flawed, silly, or outright dumb ideas that people come up with in an attempt to improve how we authenticate ourselves in the digital realm. What amazes me though is how many patents I encounter that have been granted for some of the most obvious, well-known and ordinary techniques we use in the authentication process. In fact, every imaginable aspect of password selection, authentication, storage, and recovery seems to be covered by one or more patents.

As the title says, the process of checking for common or weak passwords is patented. In fact, it is covered by quite a few patents:

But this is just one aspect of password use, there are also patents covering recovery of forgotten passwords, secure password resets, using one-time passwords, account lockout, generating pronounceable passwords, password hints, and even backdoor passwords. In fact, one could argue that this patent here even covers passwords themselves (except for the notable prior art of open sesame).

Indeed, the first question one might ask is do we really even care that someone has patented so many elements of password authentication? The answer is that we probably don’t care. Many of these patents were likely acquired as a defensive stance to protect intellectual property and to prevent others from making claims on a company’s work. We certainly shouldn’t expect IBM to block or require licensing fees from anyone who compares passwords to a list of trivial character combinations and IBM owning this patent probably helps to protects us all from patent trolls.

On the other hand, recent court cases have shown a marked increase in lawsuits from patent trolls, leveraging huge patent collections against competitors, or blocking rival products by patenting trivial and obvious design features. Unlike trademarks, patents do not require the holder to actually use the patent and do not require the holder to defend all violations of the patent to ensure its validity. This is what makes patents so attractive to patent trolls — they can sit on a patent for years and wait for significant investment and widespread use before launching their attack. If nothing else, massive patent portfolios are a significant legal bargaining chip for any corporation.

Legally, it is in the rights of these patent holders to enforce their patents, but should these patents ever have been granted in the first place?

Although some patents I have run across are truly novel and innovative, many are obvious and ordinary and should never have been granted. So many aspects of password management have been patented that any typical system would easily violate dozens of patents. To allow patents on every small aspect of software is just like allowing musicians to patent every new sequence of notes they invent — eventually it would be nearly impossible to write music without violating patents.

Again, chances are that most of these patents would never be enforced by their holders, but it is absurd that we should even have to consider doing a patent search if we want to make sure our password reset feature doesn’t violate someone else’s intellectual property.

In the meantime, because so many companies and patent trolls are hoarding patents, every other company is forced to build their own stockpile by filing applications for anything they deem remotely patentable. It’s kind of like nuclear weapons — it sucks being the only country without one. The problem is, most of the time it’s only the big players who win.