In 1998, Adolphe Quetelet had been dead for 124 years, but his formula was running the world. A Belgian astronomer who never intended to measure individual health had invented what we now call BMI; a ratio so crude it classifies The Rock as obese. NIST was about to declare that most password complexity rules do more harm than good. And CSS was still four years away from getting border-radius. Three completely unrelated facts that share one thread: the gap between what the science actually says and what we end up doing in practice.
This post is about that gap. Formulas we use without questioning, security theater we accept as normal, visual design we still do by trial and error. We built 12 browser-based tools along the way so you can poke at these ideas yourself. Everything runs client-side; nothing leaves your machine.
Your body is not a spreadsheet (but the math is still useful)
Quetelet designed his index in the 1830s to study populations, not individuals. The WHO adopted it anyway, and now every doctor's office on the planet uses it as a screening shortcut. The formula is almost comically simple: weight in kg divided by height in meters squared. It tells you nothing about muscle mass, bone density, or where your body stores fat. But across large populations, it's still one of the best predictors of metabolic risk we have. BMI is simultaneously too crude for any single person and too useful to throw out. You can calculate yours here if you're curious what the ranges actually mean.
There's a more interesting number that most people have never heard of: your Basal Metabolic Rate. That's the energy your body burns doing absolutely nothing; breathing, pumping blood, keeping your temperature stable. For most adults, it's 60-75% of total daily calorie expenditure. The Mifflin-St Jeor equation, published in 1990, still beats the older Harris-Benedict formula by about 5% in validation studies. Where it gets interesting is when you multiply BMR by an activity factor to get your Total Daily Energy Expenditure (TDEE). That one number explains more about weight gain and loss than any diet book ever written. Run the calculation and see how wildly the number shifts between "sedentary office worker" and "exercises 6 days a week."
And then there's hydration. "8 glasses a day" has essentially no scientific basis. It traces back to a 1945 U.S. Food and Nutrition Board recommendation that got taken out of context; the original text said most of that water comes from food. The National Academies of Sciences eventually published evidence-based guidelines that factor in body weight, activity, and climate. Someone doing manual labor in Phoenix and someone coding in Stockholm need very different amounts of water. We built a personalized calculator based on those guidelines.
The password problem is worse than you think
"P@ssw0rd!" passes most website complexity requirements. Capital letter, check. Number, check. Special character, check. Eight characters, check. An attacker with a modest GPU rig cracks it in seconds.
We've been measuring password strength wrong for decades. The traditional rules (must contain uppercase, lowercase, number, symbol) optimize for human inconvenience, not cryptographic resistance. What actually matters is entropy; the number of bits of randomness in your password. A 20-character passphrase of random common words has vastly more entropy than "Tr0ub4dor&3", even though it looks simpler. NIST SP 800-63B, published in 2017, finally acknowledged this by recommending that systems check passwords against known breach databases instead of enforcing arbitrary complexity. Test your own passwords and see the entropy calculation; the crack-time estimates are sobering.
Since we're on cryptography: every modern encryption algorithm descends, conceptually, from a 2000-year-old trick. Julius Caesar shifted each letter in his military messages by three positions. A became D, B became E. Suetonius documented it. The cipher is trivially breakable now (there are only 25 possible keys), but it contains the core idea behind all symmetric encryption: a reversible transformation controlled by a secret key. If you've never played with one, try it. Encrypting and decrypting a few messages by hand gives you an intuition for how encryption works that no textbook can.
On the opposite end sits hashing; encryption's one-way cousin. A hash function takes any input and produces a fixed-size output that's practically impossible to reverse. SHA-256, the same algorithm securing Bitcoin's blockchain and Git's commit history, will spit out a completely different 64-character hex string if you change a single bit of input. This is called the avalanche effect, and it's what makes hashes useful for file integrity, password storage, and content-addressable systems. NIST recommends SHA-256 or higher for anything security-sensitive. Generate hashes for any text and see the avalanche effect for yourself.
Why CSS visual properties are still a guessing game
Something strange about modern web development: we have TypeScript catching type errors before runtime, linters enforcing code style automatically, CI pipelines that won't let you merge a missing semicolon. But when it comes to visual CSS properties like border-radius, box-shadow, and gradients, we're still typing numbers, saving, reloading, squinting, and typing different numbers. It's the most manual part of an otherwise increasingly automated workflow.
Take border-radius. Most developers know it rounds corners. Fewer know it supports the slash notation (border-radius: 10px 30px 50px 10px / 20px 40px) that creates asymmetric, organic shapes. Go ahead, try guessing those values in DevTools. You can't. Your brain isn't wired to map eight numbers to a 2D shape. A visual editor where you drag corners and see the result isn't a convenience; it's the only sane way to explore the full range of the property.
Shadows are worse. Material Design's elevation system layers multiple shadows with different offsets, blurs, and opacities to simulate realistic depth. A single card component in Material UI uses three stacked box-shadow values. Getting that right by hand is like mixing paint colors by reading hex codes; technically possible, practically absurd. A layered shadow editor with real-time preview is the difference between "this shadow looks off" and "this shadow looks like a physical object."
Gradients are the most underused of the three. Linear ones are everywhere. Radial gradients show up sometimes. But conic gradients, specified in the CSS Images Level 3 spec, remain almost unknown even though every modern browser supports them. They can do pie charts, color wheels, and angular sweeps without a single line of JavaScript or SVG. Put all three gradient types in one editor and you start discovering combinations you'd never think to try.
The hidden cost of leaving things plugged in
Quick detour into energy economics. The average American household spends about $1,500 a year on electricity, and most people couldn't tell you which devices eat most of it. A 2000W space heater running 8 hours a day costs roughly $50-60 per month at average U.S. rates. A gaming PC left on 24/7 can add $30-40. Even swapping a single incandescent bulb for an LED saves about $10 per year.
The math is simple enough: watts times hours times rate per kWh. But doing it for every device in your house is tedious enough that nobody does it. We built an electricity cost calculator that breaks it down daily, weekly, monthly, and yearly. The results tend to change behavior.
Two more, because small frictions add up. The 4.0 GPA scale is uniquely American and uniquely confusing for international students; weighted credits, letter-grade conversions, and different scales across countries turn a simple average into a headache. And splitting a restaurant bill (tip calculator) shouldn't require a group negotiation, especially when tipping norms vary wildly between countries (15% in the U.S., 0% in Japan, service charge included in France).
A note on privacy
Every tool mentioned here runs entirely in your browser using the Web Crypto API and standard JavaScript. No server calls, no analytics on your inputs, no accounts. Your passwords, health data, and CSS experiments stay on your machine. This isn't a feature we're highlighting; it's the only way these tools should work. The fact that most alternatives require you to send sensitive data to a server to perform a simple calculation is the real story.