Will all current passwords be broken when quantum computers become practical?

No, this is a misconception. What quantum computers directly break is public key cryptography like RSA and ECC - the impact on password hashing (bcrypt, Argon2, etc.) is limited. While Grover's algorithm reduces the brute-force search space to its square root, random passwords of 16+ characters hashed with Argon2id remain difficult to break even with quantum computers within practical timeframes. However, if the process of passwords being transmitted via TLS is intercepted, they could potentially be decrypted in the future.

Are passkeys safe against quantum computers?

Current passkeys are based on ECDSA (elliptic curve cryptography) and could theoretically be broken by Shor's algorithm. However, the FIDO Alliance is already considering migration to post-quantum cryptography, and the FIDO2 protocol underlying passkeys is designed to allow cryptographic algorithm replacement. Before quantum computers become practical, passkey cryptographic foundations are expected to be updated to post-quantum algorithms. Passkeys are more likely to transition smoothly to the quantum era than passwords.

How can I protect myself from "Harvest Now, Decrypt Later" attacks?

At the individual level, prioritize using services and apps that support post-quantum cryptography. Signal has already implemented post-quantum key exchange (PQXDH), and Chrome supports ML-KEM in TLS 1.3. Keeping your browser and apps up to date automatically provides these protections. For data that needs to maintain confidentiality over long periods (medical records, legal documents, financial information), also consider adopting post-quantum algorithms for encryption at rest.

Post-Quantum Password Security - What Quantum Computers Will Change

About 14 min read

Quantum computing will not break your passwords - at least not in the way most people assume. The critical distinction that much of the media coverage misses is this: Shor's algorithm devastates public key cryptography (RSA, ECC, Diffie-Hellman), but password hashing algorithms like bcrypt and Argon2 face only a quadratic speedup from Grover's algorithm, reducing a 128-bit search space to an effective 64 bits. IBM's quantum roadmap targets 100,000 qubits by 2033, yet running Grover's algorithm against a properly salted Argon2 hash would require millions of error-corrected logical qubits - far beyond any projected timeline. Meanwhile, NIST finalized three post-quantum encryption standards in 2024 (ML-KEM, ML-DSA, SLH-DSA) and recommends completing migration from vulnerable algorithms by 2035. The real and immediate threat is "Harvest Now, Decrypt Later" - adversaries collecting encrypted data today to decrypt once quantum computers mature. This article separates fact from hype, explains what quantum computing actually changes for password security, and outlines what individuals and organizations should do now.

Shor's Algorithm vs Grover's Algorithm - Accurately Mapping the Impact

To accurately understand quantum computing's impact on security, you must clearly distinguish between two quantum algorithms. Shor's algorithm can solve large integer factorization and discrete logarithm problems in polynomial time. This fundamentally breaks RSA encryption (which relies on the difficulty of factorization), elliptic curve cryptography (which relies on the discrete logarithm problem), and Diffie-Hellman key exchange. Nearly all of the internet's current encrypted communications (TLS/SSL), digital signatures, and PKI infrastructure are affected.

Grover's algorithm, on the other hand, provides a quadratic speedup for unstructured search problems. Applied to password brute-force attacks, it reduces the computational cost of searching N candidates from N to √N. Specifically, for a hash with 128-bit security strength, Grover's algorithm effectively reduces it to 64-bit strength. While this may sound serious, 2^64 computations remain enormous in practice - a scale requiring decades even on current classical computers. More importantly, password hashing functions like bcrypt and Argon2 are intentionally designed with high computational cost, and this cost applies to each iteration of Grover's algorithm.

Real Impact on Password Hashing - A Sober Assessment

Let's soberly assess the quantum computing threat to password hashing. Consider a 16-character random password hashed with Argon2id (OWASP recommended settings: 19 MiB memory, 2 iterations, parallelism 1). Brute-forcing on classical computers requires approximately 2^95 computations. Even applying Grover's algorithm, approximately 2^47.5 quantum operations are needed, with each operation multiplied by Argon2's computational cost (including 19 MiB memory access). Considering current quantum computer operating speeds (gate operations in microsecond timescales), this computation would require astronomical time.

In other words, properly designed password hashing systems maintain considerable resistance even against quantum computers. The countermeasure is straightforward: ensure sufficient password length (16+ characters recommended) and use modern hashing functions like Argon2id with appropriate parameters, and password hash security will be maintained even in the quantum era. However, this applies only to password hashing - the public key cryptography used for TLS communication encryption and digital signatures will be completely broken by Shor's algorithm, making migration there urgent.

Current Status of NIST Post-Quantum Cryptography Standardization

NIST (National Institute of Standards and Technology) initiated the post-quantum cryptography standardization process in 2016 and finalized the first three standards in August 2024. ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism, formerly CRYSTALS-Kyber) is a key encapsulation mechanism used for key exchange in TLS handshakes and similar protocols. ML-DSA (Module-Lattice-Based Digital Signature Algorithm, formerly CRYSTALS-Dilithium) is a digital signature algorithm used for code signing and certificate verification. SLH-DSA (Stateless Hash-Based Digital Signature Algorithm, formerly SPHINCS+) is a hash-based signature algorithm positioned as a backup with a different mathematical foundation from lattice cryptography.

These standards are already being adopted. Google Chrome has supported ML-KEM in TLS 1.3 since version 131 (November 2024), and Signal Protocol integrated PQXDH (post-quantum extended Diffie-Hellman) in September 2023. For a deeper understanding of the cryptographic foundations, our encryption basics article and PKI glossary entry provide essential context on why public key infrastructure is the primary target.

"Harvest Now, Decrypt Later" - The Threat That Exists Today

The most overlooked aspect of post-quantum cryptography discussions is the "Harvest Now, Decrypt Later" (HNDL) attack. Nation-state attackers are intercepting and storing massive volumes of current encrypted communications. While this data cannot be decrypted now, it is a long-term strategy anticipating future quantum computers that can decrypt it. Diplomatic communications, military intelligence, corporate intellectual property, and medical records - data that retains value over long periods - are the primary targets.

The impact of HNDL attacks on password security is indirect but significant. While password hashes themselves are quantum-resistant, if the process of passwords being transmitted encrypted via TLS is intercepted, the plaintext passwords could potentially be recovered in the future. This is particularly risky for users who do not change their passwords for extended periods. Additionally, if session tokens or authentication tokens are intercepted and stored, they could potentially be decrypted in the future and used for replay attacks.

What Individual Users Should Do Now

The actions individual users should take now against quantum computing threats are clear. First, ensure your passwords are at least 16 characters long. Even considering Grover's algorithm speedup, random passwords of 16+ characters maintain sufficient security margin against quantum computers. Using a password manager makes managing long, complex passwords easy. Second, actively pursue migration to passkeys. Passkeys are an authentication method based on FIDO2/WebAuthn that eliminates passwords themselves, fundamentally resolving all password-related risks including phishing, brute force, and quantum attacks.

Third, keep your software and browsers updated. As post-quantum cryptography is integrated into TLS 1.3 and other protocols, staying current ensures you benefit from these protections automatically. Our passkeys guide and passkey migration challenges article detail the practical steps for transitioning away from passwords. For those wanting to understand the broader authentication landscape, the passkey glossary entry provides a concise overview.

Actions Organizations Should Take and Timeline

The most important priority for organizations is ensuring crypto agility - the ability to rapidly switch cryptographic algorithms in system design. Systems with hardcoded cryptographic algorithms will require enormous time and cost to migrate to post-quantum cryptography. First, create an inventory of all cryptographic algorithms used within your organization. Identify every location where cryptography is used: TLS certificates, VPNs, database encryption, code signing, API authentication, and more. Then identify vulnerable algorithms that NIST recommends migrating from by 2035, such as RSA-2048 and ECC P-256, and develop a migration plan.

Adopting zero trust architecture is also effective preparation for the post-quantum era. In zero trust, authentication and authorization are performed for each individual request rather than at the network boundary, so even if some cryptography is broken, damage can be localized. Additionally, organizational deployment of passkeys and hardware security keys is the most effective long-term strategy for reducing password dependency and eliminating the risk of quantum computer password attacks altogether.

For those looking to deepen their understanding of cryptographic fundamentals and quantum-resistant strategies, cryptography reference books (Amazon) provide comprehensive coverage from classical to post-quantum algorithms.

Frequently Asked Questions

Will all current passwords be broken when quantum computers become practical?: No, this is a misconception. What quantum computers directly break is public key cryptography like RSA and ECC - the impact on password hashing (bcrypt, Argon2, etc.) is limited. While Grover's algorithm reduces the brute-force search space to its square root, random passwords of 16+ characters hashed with Argon2id remain difficult to break even with quantum computers within practical timeframes. However, if the process of passwords being transmitted via TLS is intercepted, they could potentially be decrypted in the future.
Are passkeys safe against quantum computers?: Current passkeys are based on ECDSA (elliptic curve cryptography) and could theoretically be broken by Shor's algorithm. However, the FIDO Alliance is already considering migration to post-quantum cryptography, and the FIDO2 protocol underlying passkeys is designed to allow cryptographic algorithm replacement. Before quantum computers become practical, passkey cryptographic foundations are expected to be updated to post-quantum algorithms. Passkeys are more likely to transition smoothly to the quantum era than passwords.
How can I protect myself from "Harvest Now, Decrypt Later" attacks?: At the individual level, prioritize using services and apps that support post-quantum cryptography. Signal has already implemented post-quantum key exchange (PQXDH), and Chrome supports ML-KEM in TLS 1.3. Keeping your browser and apps up to date automatically provides these protections. For data that needs to maintain confidentiality over long periods (medical records, legal documents, financial information), also consider adopting post-quantum algorithms for encryption at rest.

Generate passwords →