What Your Post-Heartbleed Passwords Should Be

In the next few days more people than ever will struggle to invent new passwords in a short time. How should you do it?
The good news: More and more browsers and operating systems can generate long, random passwords. They would be tough to remember but you don't have to remember them. The browser or OS stores them.
The bad news: You're trusting the security of that browser or OS. OpenSSL was also supposed to be impeccably secure. Then just this week it wasn't.
Aside from the possibly justified paranoia is a convenience issue. Most of us use multiple devices and occasionally log into important accounts from family or friends' devices. This makes it tough to depend on "Cloud" synchronization of stored passwords.
The best, most realistic of the commonly advised password tactics is to convert a memorable phrase or sentence to a password. Use the first letter of each word as your password. “May the force be with you” would become “Mtfbwy”.

Cool. I mean, OK, you wouldn’t want to use that one, but you get the basic idea. Choose a phrase meaningful to you and you alone. 

There are several drawbacks. This well-publicized idea is already popular. That presumably means that acronyms of all the common pop-culture catch phrases are entering the lists of popular passwords that hackers and cracking software try first. Normally acronyms are all letters and thus less secure than an any-character string of the same length.

Different phrases can begin with the same letters, producing the same acronym. Some letters are more likely to begin words than others, and hacking software could potentially exploit this.

Now here's my suggestion, and I use it myself. Turn the conventional advice on its head. Instead of thinking of a phrase and converting it to a password (that won’t be all that random), get a truly random password and convert it to an easy-to-remember phrase.

I used to use simple, stupid passwords. After one of my accounts was hacked, the site assigned me a temporary password. It was a random string of characters. I was going to change it until I realized that I didn’t need to do so. I could remember a random password.

The mind is good at seeing patterns in random data. This is how we remember phone numbers and Social Security numbers. It also works for random-character passwords like RPM8t4ka. I just now got that one from random.org, a site that generates all the randomness anyone could want for free. Though the random.org password is authentically random, the human eye and mind instantly spot patterns. In this case the first three letters happen to be all capital, and the last three are lower-case. The number 8 is twice 4.

You can easily translate a random password to a nonsense phrase. RPM8t4ka might become “revolutions per minute, 8 track for Kathy.” I don’t know what that means but I do know that it’s fairly easy to remember. The sole point of the phrase is as a mnemonic for the password RPM8t4ka.

A password, a passphrase, a mnemonic—what’s the big deal? The difference is that a random-character password is the gold standard of security. It’s better than any human-chosen password could be. It will still be good, even if everyone in the solar system were to adopt this scheme.

Want a different password for every site? One trick is append part of the site's name to the standard password. For Facebook, take the first two letters (Fa) and add them to the boilerplate password, getting RPM8t4kaFa. Just don't do that exactly and make up your own rule.

(This tip is adapted from my upcoming book, Rock Breaks Scissors. It's due out from Little, Brown this June 3rd.)

Anchoring Is Back: Meet the $69 Hot Dog

Pity the summer tourist in New York, the city where everything is more expensive than it is back home. Last month, Serendipity 3, an East Side eatery popular with visitors, introduced a $69 hot dog. Call that a leading indicator: Several Manhattan restaurants introduced $100+ hamburgers prior to the 2008 meltdown, but not many have since — maybe lest the masses storm the place with pitchforks. Like the hamburgers, Serendipity 3's "Foot-Long Haute Dog" attempts to justify the price with the garnishes. The hot dog comes with medallions of foie gras with black truffles and caramelized Vidalia onions. The accompanying ketchup is said to be made from heirloom tomatoes, and the Dijon mustard is spiked with truffle shavings. Foodies are left to ponder how well the flavor of truffles and foie gras stands up to a good slathering of condiments.
Serendipity 3 is a dessert-heavy place popular with tourists wanting to see celebrities. The fanfare over the $69 hot dog was transparently a way of getting that crowd's attention. The new dish was introduced on National Hot Dog Day with a representative of the Guinness Book of World Records on hand to "certify" it as the world's most expensive hot dog. The restaurant's very busy press agent, Joe Calderone, talked up the $69 frank and the alleged celebrity clientele to anyone who would listen. ("Cher is a regular who always get the regular foot-long. Now we will offer her the most expensive one.")
Absurdly priced menu items are more than a publicity gimmick. They're an application of "anchoring," a cognitive phenomenon discovered by psychologists Amos Tversky and Daniel Kahneman in the 1970s. Whenever we try to estimate a numerical value, we are unconsciously influenced by related numbers just considered. In this case, the diner in a touristy Manhattan restaurant is trying to decide how much he or she can afford to spend. The familiar prices back home don't apply. That diner isn't going to order a $69 hot dog, but might happily opt for an $17.95 cheeseburger. The hot dog makes the cheeseburger appear reasonable in comparison (even though $17.95 would be a ridiculous price for a cheeseburger almost anywhere else). In scores of careful laboratory studies, price contrasts like that affect decisions. Restaurateurs and consultants believe it works on menus, too.
The hot dog isn't the most expensive thing on the Serendipity 3 menu. They have a $1000 chocolate sundae, a legacy anchor introduced before the Great Recession. Its agenda is to boost the amount spent on desserts. The $1000 price, printed in big type, convinces average folks that it's sensible to pay $15.50 for a "fruit and fudge" confection, or $22.50 for a "Cheese Cake Vesuvius." Menu anchors in the $1000 price range are in the semi-mythic category. It doesn't cost anything to have them on the menu, and Serendipity 3 even demands 48-hours notice. (How many billionaires plan an ice-cream sundae 48 hours in advance?) The Golden Opulence Sundae is said to be Tahitian vanilla ice cream lavished with edible 23-carat-gold leaf and caviar and chocolate — another dubious combination. Would Serendipity 3's chef make one if you ordered it? You bet! The profit margin must be astronomical. Does anyone order it? How often does that happen? Calderone told AOL News that that the restaurant sells about one $1000 sundae a week. If you believe that, you don't know much about how press agents make a living.

Why No One’s Saying What Charlie Sheen Got

At the moment — but probably not for long — the biggest secret of TV is how much money CBS had to pay Charlie Sheen to continue his hit sitcom, Two and a Half Men. Sheen was reportedly making just under $1 million an episode when his contract expired last month. He hinted he was ready to call it quits. That would have been very bad news for CBS, which draws 15 million viewers an episode. It’s been claimed that the actor was asking for $2 million an episode, and that the talk of quitting was just a bluff.
How much is a sitcom star worth? Answer: Nobody has a clue. It's one thing to compute the revenue stream from Two and a Half Men. It's another to apportion that between Sheen, his co-stars Jon Cryer and Angus T. Jones, the other actors, the writers, and directors. How do you discount for Sheen's much-publicized personal demons and the uncertainties they raise?
One thing's for sure: CBS doesn’t want a repeat of the Seinfeld fiasco. In 1997 Jerry Seinfeld announced he was quitting his hit sitcom, Seinfeld, whose importance to NBC then was much like Two and Half Men’s importance to CBS now. Unlike Sheen, Seinfeld meant it. He was quitting… walking out the door. Really.
Seinfeld was then making $1 million an episode, an unheard-of sum. NBC dangled an offer of $5 million an episode, to do one more season.
Seinfeld said no. Inevitably, word of the NBC offer leaked out. The network brass must have hoped that everyone would appreciate that Seinfeld was a special case and that the $5 million offer did not set a precedent.
Actors thought otherwise. Over the next few years, star — and sidekick — salary demands escalated as never before. In 2002, the leads of Friends collectively bargained their way to $1 million per episode, per “friend.” Ray Romano was making $800,000 an episode for Everybody Loves Raymond, and Frasier’s Kelsey Grammer was the leader with $1.6 million an episode.
NBC’s failed bid to make Seinfeld stay ended up being hugely expensive for all the networks, broadcast and cable. You may ask how that can be. Sitcom salaries are a classic example of what economists call “coherent arbitrariness.” No one knows exactly what a TV star is worth. Given that uncertainty, people are influenced by any salient numbers that are out there. The mere knowledge that NBC had offered (not paid!) $5 million an episode caused everyone to raise their estimates of what TV actors are worth.
This is the "arbitrary" part. Estimates of actor salaries are also coherent, in that everyone appreciates that a star should make than a supporting player; a hit show's actors should make more than those in a dud. Indeed, James Gandolfini once shut down The Sopranos after he found out he was only making as much money as the housekeeper on Frasier.
In an April statement, Charlie Sheen said, “All of the numbers reported in the press are false. Claims from ‘inside sources’ regarding offers from the studio as well as my salary, on their best day, are without merit.” True or not, Sheen’s new salary can't stay secret for long. When it leaks out, it’s likely to generate another wave of aggressive demands by actors — at all levels of the TV food chain.

Article in Playboy

I've got an article, "How Much Will You Pay?" in the June Playboy (yes, the issue with the 3D centerfold).

Monetizing the Male Ego

Every marketer has to decide how much product to sell and at what price. Few are as fortunate as condom makers, whose customers are glad to pay a premium for a product that isn't much bigger or better. Consider the Magnum line of plus-size condoms, a sub-brand of industry leader Trojan. Magnum's share of the market has surged (if you'll excuse the expression) from 4.6 percent of the market in 2001 to 18.8 percent today. The size of the American male has not seen a similar increase.
"Bigger than most condoms, it is designed to fit those that find normal condoms too constricting," reads one website's copy for Magnum. It closes on the tantalizing note: "These are a little smaller in Width and length than the Magnum XL's."
Oh, yes, then there are Magnum XL's. The copy tries to upsell the Trojan customer to Magnum, and the Magnum customer to XL. It's easy to see why men fall for this particular sales pitch. It's also easy to see why Trojan loves Magnums. A box of 12 regular Trojans retails for around $5.99; a box of Magnums is $7.99. That's a 33 percent premium. Then there's Magnum Ecstasy, at $10.99 for a box that contains only 10. I doubt that anyone buying a product called "Magnum Ecstasy" does the math, but that's over twice the unit price of the regular Trojans.
Were these gloves instead of love gloves, "small," "medium," and "large" would retail for the same price. So the Magnum premium is pure profit. Furthermore, Trojan has never advertised Magnums. It doesn't have to.
What's not so obvious is the smoke and mirrors behind the Magnum brand. Jim Daniels, vice-president of marketing for Trojan, confessed to the New York Times that Magnums are basically the same size, just a little wider in the middle.
The regular Trojan, the Magnum, and the Magnum XL all measure 2 inches wide at the base. The base has to cinch snugly to keep the thing on. There's a slight difference in length. A Trojan Non-Lubricated is 7.8 inches long, vs. 8.12 inches for Magnum. The 0.32-inch difference qualifies as a rounding error in anyone's night of pleasure. As to the Magnum XLs, well, they're 8.12 inches long, too.
The difference is in width of the shaft. Measured at the head, Trojans are 2 inches wide, Magnums are 2.5 inches, and Magnum XL's are 2.75 inches. Well okay, that's a difference. But since all the condoms taper to 2 inches at the base, the Magnums have a rather bizarre shape. It's less a beer can than a very fashionable cocktail shaker of the 1930s.
A rival brand, LifeStyles, has a "King XL" size whose vital statistics are virtually the same as the regular Trojans. There's no policing of the XL designation. And that's probably fine with all parties concerned. This is America, the land where any man can be an XL. All it takes is a little extra cash.

Pricing the eBook

The iPad's release has renewed the question, what should an eBook cost? Answers range from “free” to “whatever the market will bear.” Psychologists would say the operative word is “whatever.” At issue is the phenomenon of “anchoring,” discovered by Amos Tversky and Daniel Kahneman. When people don’t know what a fundamentally new product should cost, they are strongly influenced by the first price they encounter. It’s like the way a baby chick decides that whatever creature it sees first is its mother.
For Kindle readers, that all-important first price is likely to be the $9.99 price that Amazon pioneered. Publishers fear those readers will thereafter take that as the “fair” price for eBooks and resist any attempt to charge more. What’s wrong with that? Well, Amazon is using another, more familiar pricing trick, the loss leader. It’s been reported that Amazon is losing money on each eBook sale, as it’s paying publishers more than $9.99. This tactic is probably a smart way to promote sales of the Kindle and to burnish Amazon’s reputation for low prices.
Apple's new iPad Bookstore allows publishers to set prices. Contrary to early speculation, Apple is selling many bestsellers for the "Amazon" price of $9.99. Otherwise $12.99 is a common price point at the iPad Bookstore. Meanwhile, Amazon has quietly raised prices for many eBooks — often inscrutably — as a result of new agreements with publishers. (My book Priceless originally sold for $9.99 in a Kindle edition. Amazon raised the price to $14.99, then cut it to $12.99. That's three prices in the two weeks it's been out. By the way, don't blame me: Authors have nothing to do with setting prices.)
The net effect of the iPad so far: There's a wider range of eBook prices and less price difference between Apple and Amazon than the pundits predicted.
We would like to believe that the free market, and not corporate posturing, sets equitable prices. On closer inspection, the “market” price of a book has always been a chimera. Should Don Delillo’s Point Omega cost less because it’s only 128 pages? Should Stephenie Meyer’s Twilight books cost more because some of her fans would pay almost anything? For the most part, the publishing industry says no. In defiance of economics, there is only a limited attempt to price by wordage or reader demand. This is another demonstration of how peculiar a business book publishing is.
Any discussion of eBook pricing now has three psychological anchors. They are the current price of hardcover books (let’s say around $27), the once-standard Amazon Kindle price ($9.99), and the “information wants to be free” price of zero. All agree that the price of an eBook should be a good deal less than the price of a hardcover. There are no trees to cut down, and no boxes to ship. Everyone in the book business also agrees that the price of a new book must be a good deal more than zero. (We may or may not be heading towards an age of free information, but there will be no publishers, booksellers, or professional authors in that digital nirvana.) A reasonable person might ask, what does it cost to produce and market an eBook? But that's like asking what does it cost to make a movie. The answer can be zero (YouTube) or $500 million (Avatar).
The biggest unknown of all is what the consumer will pay. I remember a time in my twenties when I realized, with delight, that I could afford to buy all the books I could read. I imagine I’m not atypical of avid readers in saying that I wouldn’t read any more books if they were all free, and I wouldn’t read much less if they cost twice as much. An economist would argue that most of the “cost” of a book resides in the precious leisure time expended reading it. Figure how many hours you spend reading a book and multiply by your billing rate. It’s going to be a lot more than $12.99. We’re dickering over the tip, not the restaurant bill.
But most people don’t think like economists. The value of one’s own time is not so easily quantified as a price printed on a jacket. That price carries disproportionate weight in purchase decisions, and people can get upset over the most incremental increase (“it’s the principle of the thing!”) Confirming the anchoring theory, it’s reported that some readers are upset at Apple for trying to raise prices above the God-, or Amazon-given $9.99.
Psychologists say that prices have an element of confabulation. We spin a mental narrative in which the prices we set are exact, rigorous, and inevitable —oblivious to how arbitrary those prices actually are. I suspect that everyone involved in the eBook price war would be just as upset, had the line in the sand been drawn at $4.99 or $19.99. I don’t know what eBook prices we’ll end up with, but I’m reasonably sure of one thing: If we think there’s an entirely logical price for a digital book, we’re only fooling ourselves.

The Loser’s Curse

Richard Thaler has an article in today's New York Times on mispricing of NFL talent. In the NFL draft, losing teams trade away too much for "first pick" players, Thaler and Cade Massey argue in a recently updated paper.

"We found that the teams choosing early in the draft generally don’t, in fact, get the players that provide the most value per dollar. Our paper is titled “The Loser’s Curse” because we discovered that the first pick in the draft is, on average, the least valuable in the entire first round."
That surprising result has implications not only for football, but also for any domain where organizations try to select talent, whether C.E.O.’s or their own “rookies” — newly minted graduates."

In related news, the Times has an amusing graphic comparing some star CEOs' compensation to their companies' performance.