Science & Tech

The password was always a stopgap. In the early 1960s, engineers at the Massachusetts Institute of Technology needed a way for several people to share a single mainframe while keeping their files separate, so each user was assigned a string to identify themselves at the terminal. That was the moment passwords entered computing. Back then, computers were rare and the trick was clever enough. Nobody imagined that half a century later every ordinary person would be juggling dozens of them, each one demanding upper case, lower case, digits and symbols, with a forced reset every ninety days.

People dislike passwords not because they are complicated but because they are contradictory. Security wants them long, random and unique. Memory wants them short, smooth and meaningful. Two opposite demands have been crammed into the same input box. The friction is amplified by the fact that every system has its own private rulebook. A bank insists on at least twelve characters with a special symbol. A corporate intranet forbids certain symbols. An older system caps you at eight characters and refuses to accept a space. Some sites force a change every ninety days and reject any password that matches the last ten you used. Coming up with a single new combination that satisfies one site’s quirks is already a small mental task.

Using one password everywhere is, in practice, impossible. The rules across systems are mutually incompatible, so even the laziest user is forced to vary. And even if uniformity were allowed, reuse would be a poor idea, because a single breach gives attackers a string they can spray against every other account a person owns. One leak can cascade through a dozen services. Yet remembering several dozen unique strings, each tailored to its own peculiar rules, is beyond most people. So forgetting passwords becomes routine, with users endlessly clicking reset links, waiting for verification emails, and scribbling new attempts onto sticky notes. There is a permanent gap between the limits of human memory and the demands of modern authentication, and the password model sits squarely on top of that gap.

Password managers emerged to bridge it. They generate, store and autofill credentials, which appears to solve the problem. But the convenience hides a different risk: every egg sits in one basket. Cloud-synced products like LastPass and 1Password trade local storage for cross-device access, which means the entire encrypted vault lives on a vendor’s servers. Local-only tools such as KeePass spread the risk but burden users with manual syncing, which is why they have never reached mainstream adoption. The LastPass breach in late 2022 became the cautionary case for the cloud-vault model. Once the master password or vault is compromised, everything inside is exposed at once. Concentrating trust in a single point is not safer; it is a bigger bet placed in a single location.

Passphrases were the next idea. Replace the random gibberish with a string of memorable words, four or five English terms strung together, theoretically longer and harder to crack while easier to remember. Passphrases never quite caught on, and the reason was systemic rather than human. Many websites still cap the password field at fifteen characters and disallow spaces. The deeper issue is that a passphrase, however clever, is still a shared secret. The user knows it; the server knows it. Once that string has left the user’s head and been transmitted, stored or cached, it can be stolen.

Social login took a different route. Authentication is delegated to Google, Facebook or Apple, and the user clicks a single button to be on their way. The convenience is real, but the price is that personal identity and behavioural data are handed to the platform with each click. Every login adds another data point about where the user is, what they use and what they do. It is a bargain trading privacy for ease, and most users do not fully grasp what they are giving up.

Social login also carries a less visible nuisance. Many people sign up casually with Google, forget about it some months later, then return and create another account with Facebook. The result is two unlinked profiles inside the same service, with purchase history, subscriptions and points fragmented between them. The site’s engineers must then decide whether to merge the accounts, link them or keep them separate. Each option has side effects, and the logic written to handle these cases often becomes more complex than the authentication itself. The smooth surface of social login is supported by a tangled web of identity reconciliation underneath.

Through all of these iterations, the underlying problem went untouched. The shared secret model itself is the source of the trouble. As long as user and server must both hold the same string, that string can be phished, intercepted or leaked. To fix the problem properly, the model has to change.

That is exactly what passkeys do. They are built on asymmetric cryptography. When a user registers, the device generates a key pair: the private key stays inside the device’s secure chip and never leaves; the public key is handed to the server. To log in, the server issues a challenge, the device signs it with the private key, and the server verifies the signature using the public key. No secret travels across the network at any point. A phishing site that mimics the real one perfectly cannot extract anything usable, because the passkey is bound to the original domain and refuses to operate on any other.

The historical drawback of passkeys was that the private key existed only on a single device, which meant switching phones required re-registering every account from scratch. That barrier has now been cleared. Apple’s iCloud Keychain, Google’s Chrome Password Manager and Microsoft’s Authenticator combined with a Microsoft account can each sync passkeys to a user’s other devices. For those who distrust the cloud, hardware security keys such as YubiKey keep the credential locked inside a physical chip that the user carries with them.

On the surface this looks identical to a password manager: both move login credentials between devices. But what they protect is fundamentally different in nature. A password manager syncs the password itself, which is a secret held by both user and server, and so a breach of the vault hands the attacker a working key to every account inside. A passkey synchronisation moves the private key, but the corresponding server has never held any secret in the first place; even if the website is breached, only the public key leaks, and that is worthless to the attacker.

What if Apple’s or Google’s sync service itself were compromised? The protection here lies in end-to-end encryption. Before the private key leaves the device, it is encrypted with a key known only to the user’s own devices, and the cloud sees nothing but ciphertext that even Apple or Google cannot unlock. If the entire sync system were breached, what leaks is an unreadable encrypted bundle. To actually use a passkey, an attacker would need to compromise the user’s Apple ID or Google account itself, which means stealing the password, defeating two-factor authentication, and then convincing the platform to trust an entirely new device, with each step triggering an explicit alert on the user’s existing devices. The risk has not vanished, but it has been pushed up from the storage layer to the identity layer. The attack surface narrows, the cost rises, and the leaked ciphertext on its own carries no immediate value.

The YubiKey route comes with its own trade-off. The fact that the private key never leaves the chip is its strongest protection, but it is equally its biggest weakness: lose the key and the credentials inside vanish with it, with no recovery path even from Yubico. The standard practice is therefore never to rely on a single key. Each account should be registered with at least two, one carried daily and one stored at home or in a safe. If the everyday key is lost, the backup still works; the first thing to do is delete the old key from the account and add a fresh replacement. Anyone who used only one and lost it falls back on each service’s account-recovery process, which is the weakest link in the entire chain and the favoured target of social engineering attackers.

Passkeys also do not lock a user inside one ecosystem. A passkey created on an iPhone can be used to log in to a website on a Windows computer by scanning a QR code displayed on the screen, with Bluetooth confirming that the two devices are physically near each other before completing the verification. The private key never leaves the phone; the cross-platform handoff is achieved through a FIDO standard protocol handshake, not by copying secrets between devices. Compared with social login, which essentially outsources identity to a single provider, this is a fundamentally different design.

Passkeys are not a panacea. They shift the risk from the storage layer to the device layer and the identity layer. The attack surface narrows and the bar rises, but it is not zero. A device deeply compromised by malware, or with a backdoor planted at the supply-chain stage, would expose any credentials held inside. Compared with passwords, however, this attack path has always been the harder one. A keylogger cannot capture a string that was never typed; a phishing site cannot trick the user into transmitting a private key that never travels; a server breach cannot leak a usable secret because no usable secret was ever stored. Harder is not the same as impossible, and security engineering has never offered a final answer.

There is also a structural concern worth naming. The passkey sync ecosystem currently rests on Apple, Google and Microsoft. End-to-end encryption protects against technical surveillance, but it does not protect against policy shifts. If a platform alters its access rules, complies with regulatory or law-enforcement demands, or freezes a user’s account for any reason, the entire login flow shakes with it. The FIDO Alliance is working on standards such as the Credential Exchange Format that will eventually let passkeys move between providers, but seamless interoperability is still some way off. For elderly users without smartphones, those uncomfortable with biometrics, or those whose work devices forbid personal sync, plain passwords will remain a fallback for the foreseeable future.

What the user actually sees is a fingerprint or a glance at the camera, and the fingerprint itself never leaves the secure chip inside the device. The server receives only a signature produced by the private key, which has nothing to do with what the biometric data actually look like. Behind that simple gesture is more than thirty years of mature cryptography, finally caught by consumer-grade hardware. Apple, Google and Microsoft now support passkeys natively, and major services including Amazon, PayPal, GitHub and Revolut have rolled them out. The FIDO Alliance reports that more than one billion people worldwide have activated at least one passkey, with consumer awareness running at roughly three quarters. In April 2026 the UK’s National Cyber Security Centre formally advised consumers to make passkeys their first choice for logging in, dropping its long-standing recommendation of plain passwords.

This is not another tech-industry feature push. It is a shift in the underlying engineering model. The reason the safest password is no password at all is not that passwords have ceased to matter, but that the shared-secret premise on which they rest is itself the source of the vulnerability. Keeping the secret behind the fingerprint on your own device, where it never has to travel, is what finally makes the model work.

When people talk about weather forecasts, the most common question is simple: is it accurate? If the only standard is avoiding missed events, the answer is surprisingly easy. Forecast rain every single day. You will never miss a rainy day. Your hit rate will reach 100%. It looks impressive. It means nothing.

In forecast verification, one of the most basic metrics is POD, the Probability of Detection. It is calculated as the number of correctly forecast events divided by the number of events that actually occurred. Suppose there are 100 rainy days in a year. As long as all 100 are forecast, the POD is 100%. If you predict rain every day, this condition is automatically satisfied. Even someone with no judgment at all can achieve a perfect score on paper.

But the problem appears immediately. On the remaining 265 days, it does not rain. Yet all of them are forecast as rain. These are false alarms. That is where FAR, the False Alarm Ratio, becomes relevant. FAR is calculated as the number of false alarms divided by the total number of forecast events. If rain is forecast every day, then out of 365 forecasts, only 100 are correct and 265 are false alarms. The FAR is about 73%. In other words, more than seven out of ten warnings are unnecessary. Trust quickly erodes under such conditions.

This is why POD alone is meaningless. A forecast can inflate its detection rate through extreme strategies while simultaneously amplifying false alarms. On the other hand, if rain is never forecast, the FAR is zero. Yet every rainy day is missed. The POD falls to zero. That is equally useless. The real challenge lies in finding a reasonable position between these extremes.

Meteorologists often use CSI, the Critical Success Index, to assess hits, false alarms and misses together. CSI is calculated as the number of hits divided by the sum of hits, false alarms and misses. If a forecast is too aggressive or too conservative, CSI will remain low. Only with balanced judgment does the index improve. This metric forces forecasters to take responsibility for overall performance rather than hide behind a single flattering number.

At its core, this is a question of risk management. If the cost of missing an event is extremely high, such as heavy rainfall triggering landslides, a higher false alarm rate may be acceptable. If the cost of false alarms is substantial, such as unnecessary school closures or economic disruption, then false alarms must be tightly controlled. Forecasting is never a simple competition about being right or wrong. It is a trade-off between costs and risks.

What is described above concerns basic categorical forecast verification. Modern weather forecasting increasingly uses probabilistic formats, such as predicting a 30% or 70% chance of rain. Verifying probabilistic forecasts involves deeper concepts such as reliability, resolution and the Brier Score. These are far more complex than POD or CSI. Determining whether a probabilistic forecast is both reliable and capable of distinguishing different outcomes is another layer of evaluation. That discussion will have to wait.

The idea of being 100% accurate is often little more than a definitional trick. Choose a metric that favours your strategy and impressive numbers will follow. Responsible forecasting requires multiple metrics and clear explanations of trade-offs. Numbers do not speak for themselves. People decide which numbers to emphasise.

What applies to weather forecasts applies equally to other forms of prediction. If we chase surface accuracy without confronting costs and uncertainty, any prediction can be made to look perfect. The question is not whether perfection is achievable. The question is whether we are willing to measure meaning honestly.

The name is catchy, but let’s be clear: air fryers do not actually ‘fry’. They do not immerse food in oil; instead, they use high-speed hot air to dry the surface, creating a texture similar to that of fried food.

The principle behind air fryers is not complicated. At the top of the unit is a heating element, in the middle is a fan, and at the bottom is a food basket. When turned on, the heating element reaches temperatures between 160 and 200°C, and the fan blows hot air rapidly towards the food, creating a circulating convection. The strong hot air quickly removes moisture from the surface, drying it out and triggering the Maillard reaction, resulting in a golden and crispy exterior. The so-called ‘frying’ effect is actually achieved through hot air roasting.

Air fryers excel at handling small portions of food that require a crispy texture. Items like fries, chicken wings, fish fillets, and frozen snacks can yield satisfactory results. The key lies in achieving surface crispiness. Due to their compact size, air fryers heat up quickly and do not require the preheating of a large cavity like traditional ovens. They are particularly convenient for small households of one or two people.

However, they are not a panacea. The results for wet batter foods are limited, as the batter may be blown away before it can dry. Overcrowding the food basket can also impede the flow of hot air. For whole chickens or large cuts of meat, smaller models may not be suitable. Essentially, an air fryer functions as a small, powerful oven and should be used with this understanding.

Is it healthier? From a fat perspective, it often is. Traditional frying requires immersing food in oil heated to 170 to 180°C, resulting in higher oil absorption. An air fryer only needs a thin layer of oil, or even none at all, which can reduce fat intake. However, high temperatures still pose risks such as the formation of acrylamide. Whether it is healthy or not depends not on its name, but on the control of temperature and time.

As for energy efficiency, it depends on the comparison. Typical air fryers have a power rating of about 1200 to 2000 watts, while traditional ovens usually range from 2000 to 3000 watts. The power difference is not drastic, but air fryers have a smaller capacity and shorter preheating times. If cooking for one or two people, the overall energy consumption is often lower. However, if large quantities of food need to be cooked at once, requiring batch processing, the total energy consumption may not be advantageous.

There is also a practical consideration. Due to their enclosed and smaller space, air fryers have a lower impact on the overall temperature of the kitchen. Using them in the summer reduces the burden on air conditioning, indirectly saving energy. This is a point often overlooked in everyday use.

The popularity of air fryers is not mysterious. They condense the oven’s size and enhance convection, resulting in speed and efficiency. They do not truly ‘fry’, yet they can simulate the texture of fried food. Understanding this means we need not mythologize them, nor should we dismiss them.

Tools are merely tools. Names can be misleading, but principles are not.

The Winter Olympics are in full swing, and amidst a host of events defined by speed and explosive power, curling stands out as an anomaly: its pace is slow, movements are restrained, and it appears devoid of dramatic tension. However, after watching a few matches, one realizes that this sport is exceptionally ruthless, as each stone cannot be remedied once thrown, and nearly all outcomes are determined at the moment of release.

To understand why the physics of curling is so crucial, one must first clarify the rules and scoring. Curling matches are calculated in ‘ends’, with each team throwing 8 stones, for a total of 16. After all stones are thrown, only one team can score: the team whose stones are closest to the center of the house scores, and the number of points is equal to the number of that team’s stones that are closer to the center than the opponent’s closest stone. In other words, it is not simply about having more stones in the house; rather, the order of distance determines everything. A stone that is 10 centimeters off can turn a score from 2 points to 0 points.

Thus, curling is never just about ‘pushing the stone’; it is an art of path control. Many people, upon first seeing curling, wonder why the stone, which appears to be sliding straight, curves to one side at the end. The intuitive answer is often ‘because of the spin’, with some even likening it to a bending soccer ball, but this is not entirely accurate. The curvature of the curling stone does not stem from aerodynamics, but rather from subtle asymmetries in the friction with the ice surface.

The bottom of a curling stone is not flat; it features a narrow band that makes contact with the ice, meaning only this edge is in contact with the surface. The ice used in competitions is not as smooth as a mirror; it is sprinkled with countless tiny droplets that form bumps, referred to as ‘pebble’ in the industry. The stone actually slides on top of these minuscule ice particles, rather than across the entire ice surface.

As the stone moves forward with a slight spin, the ice particles it first contacts are compressed and rubbed, causing a slight increase in temperature; the ice it contacts later is no longer in its original state. This difference in contact states creates a slight increase in friction on the side where the stone is spinning. The difference is minimal, almost imperceptible in real time, but accumulates over the course of several seconds or even tens of seconds, ultimately pulling the stone towards the side of the spin, resulting in the unique and predictable curving path of curling.

The role of sweeping is often misunderstood as simply ‘brushing hard to make the stone go further’. In reality, sweeping is more about controlling the outcome rather than merely pursuing distance. Rapid sweeping raises the temperature of the ice surface momentarily, creating a very thin layer of water while smoothing the tips of the pebble, altering the friction distribution between the stone and the ice. The result is not merely faster or slower; it is about how much or how little the stone curves and when it curves. In high-level competitions, sweeping is often employed to pull back a shot that would otherwise score negatively into a scoring position.

Even within the same Winter Olympics, the conditions of the ice can vary slightly from match to match and time to time. Factors such as venue humidity, ice temperature, water distribution, and wear from previous matches can all affect the state of the pebble, thereby altering the friction characteristics. Top teams repeatedly practice their shots before the match, not relying on intuition but recalibrating to the physical conditions of the ice that day.

Even the material of the curling stones is a serious scientific choice. Competition stones are almost exclusively made from a specific type of granite, not out of tradition but because of its dense crystalline structure and extremely low water absorption rate, allowing it to maintain a stable shape under repeated impacts and long-term friction. If the stones absorb water or develop micro-cracks, the behavior of the contact ring will change over time, leading to a collapse in the predictability of the entire sport.

Curling may appear slow, but it merely stretches extremely small physical effects to a scale observable by the human eye. A bit more spin or half a second less of sweeping may only differ in the third decimal place of the friction coefficient, yet it is enough to turn a scoring shot into a non-scoring one. This is not a slow sport; it is one that demands extreme precision. The next time you watch curling at the Olympics, remember that the elegant arc is underpinned by a comprehensive set of physical laws, operating quietly and accurately.

The question of whether artificial intelligence will surpass humans within twenty years has shifted from science fiction to a pressing topic of discussion among researchers, industry leaders, and policymakers. The real divide lies not in whether it will happen, but in the standards for ‘surpassing’ and who is qualified to make that judgment.

One of the most prominent warners is Geoffrey Hinton. As a pioneer of deep learning and former chief researcher at Google, he is not a mere observer but an architect of the neural network revolution. In recent years, Hinton has publicly acknowledged that he underestimated the speed of technological advancement. He previously believed that humanity had a buffer of 30 to 50 years, but now he considers it realistically possible for AI to reach or exceed human levels in most cognitive tasks within the next 10 to 20 years. His timeline is based on an engineering intuition regarding model scale, emergent capabilities, and self-learning potential, rather than abstract philosophy.

In contrast stands Yann LeCun. Also one of the three giants of deep learning and currently the chief AI scientist at Meta, LeCun emphasizes that today’s AI is fundamentally still a high-level statistical tool, lacking a true understanding of the physical world, causal relationships, and common sense. In his view, unless a groundbreaking theoretical breakthrough occurs, the so-called general artificial intelligence remains ‘decades away’ and may not be achievable through existing pathways alone. He does not provide a specific year but offers a clear negation condition.

At the forefront of industry is Sam Altman. As the CEO of OpenAI, his role is not to define intelligence but to drive capabilities into practical applications. Altman avoids claiming a specific year for when AI will ‘surpass humans,’ but he paints a shorter timeline: within the next 5 to 10 years, AI will be capable of causing irreversible impacts on the labor market and institutional structures in fields such as scientific research, programming, medical assistance, and administrative decision-making. This perspective focuses on when the effects will become undeniable.

The most definitive in terms of timeline is futurist Ray Kurzweil. As an inventor who has long studied computational trends and a former engineer at Google, he predicts that around 2045, machine intelligence will fully surpass human intelligence, triggering what is known as the ‘singularity.’ His judgment is based on extrapolations of exponential growth in computing power, cost, and data scale, which supporters view as a calm mathematical inference, while critics argue that social, energy, and political frictions do not exhibit exponential growth.

When these viewpoints are juxtaposed, a clear structure emerges: Hinton points to a mid-term risk window within twenty years, Altman describes institutional impacts already occurring within ten years, Kurzweil provides a long-term endpoint, while LeCun warns that the entire trajectory may overestimate existing technologies.

Thus, the notion of ‘AI surpassing humans within twenty years’ may not represent a singular moment but rather a cumulative series of critical points. By the time society semantically acknowledges ‘surpassing,’ the scales of power, efficiency, and decision-making may have already tipped.