Who writes on PwdFortress
Our team: who we are, what we test, and why we take password security seriously.
Eric Gerard
Editor · Password manager and applied cryptography specialist
Independent editor for 12 years, former network admin at a French industrial SMB (Cisco CCNA 2014). On PwdFortress, I test every password manager as a paying customer — vault creation, import from Chrome/Bitwarden/1Password, encrypted sharing tests, zero-knowledge threat model audits. No published figure comes from a marketing brochure.
My career started in 2010 as a network admin for a French industrial SMB: three sites, two Cisco ASA firewalls, and responsibility for an Active Directory domain with its password complexity policy. That's where I saw the gap between CISO-imposed policy (12 characters, 90-day rotation, complexity) and the reality of post-it notes under workstation keyboards. I earned the Cisco CCNA in 2014, then switched to affiliate tech publishing. On PwdFortress I work self-taught on applied cryptography: reading the RFCs (RFC 8018 PBKDF2, RFC 9106 Argon2, RFC 8949 CBOR for WebAuthn), auditing the Bitwarden and 1Password whitepapers, and reading the independent Cure53 and Praetorian audits published on the managers we recommend. I test every product for at least 14 days as a real customer: vault creation, import from other managers, encrypted sharing, breach monitoring, account recovery. I publish under my full name and personally answer technical questions via the contact form.
Have a question about a manager we tested or a threat model? Email me directly at contact@pwdfortress.com — I answer personally.
Areas of coverage
- Password manager testing (Bitwarden, 1Password, Proton Pass, NordPass, Dashlane, KeePassXC)
- Zero-knowledge model audit: Argon2 / PBKDF2 derivation, AES-256 vault encryption, sealed sharing
- Passkey testing (WebAuthn / FIDO2) on Chrome, Safari, Firefox and YubiKey hardware keys
- 2FA audit: TOTP, push, SMS, hardware tokens, recovery codes
- Migration between managers: secure export, import and purge of the previous vault
Our extended team
Beyond Eric, our technical articles go through a review loop by external consultants, anonymised at their request. They are not co-authors: they are reviewers paid on a per-article basis to verify cryptographic claims before publication.
Technical reviewer #1 — Applied cryptography
13 years of applied cryptography experience (security team of a French fintech), expert in key derivation (Argon2, scrypt, PBKDF2), vault encryption scheme audits, TypeScript / Rust code reviews around libsodium. Verifies our claims on KDF parameters (memory, iterations) and GPU attack resistance before publication. Average review time: 6 business days.
Technical reviewer #2 — Identity & WebAuthn
10 years in identity management and FIDO standards (former implementer of an enterprise OIDC + WebAuthn IdP). Verifies our articles on passkeys, authenticator attestation, iCloud Keychain / Google Password Manager syncing, and cross-device handoff risks. Average review time: 7 business days.
Editorial standards
Every article published on PwdFortress follows the process below, with no exceptions or shortcuts.
Technical peer review before publication
Every article containing measurable cryptographic claims (KDF parameters, threat model, security claims) is reviewed by one of our two technical reviewers. Unverifiable claims are removed.
Primary sources required
Every figure or cryptographic parameter cited must point to official manager documentation (whitepaper, developer docs) or a published independent audit (Cure53, Praetorian, NCC Group). Marketing claims are never published without verification.
Maximum revision cycle of 90 days
No article stays published longer than 90 days without a review of its technical content. The frontmatter date (datePublished / dateModified) reflects the last real verification, not a cosmetic CI build.
Public correction policy
If a factual error is reported, we correct it within 48 business hours and add a dated note at the bottom of the article explaining the change. No silent corrections.
Conflicts of interest declared on every page
Pages containing affiliate links carry a disclaimer at the top: persistent banner + rel="sponsored nofollow" HTML attribute on every commercial link. No exceptions.