Advanced13 min readUpdated February 2025

Post-Quantum Password Security: What You Need to Know in 2025

Quantum computers are not yet breaking passwords — but the threat is real and the preparation window is now. Here is what you need to know and do.

The quantum computing threat

Quantum computers do not yet threaten passwords in any practical sense. As of 2025, the largest quantum computers — IBM's Heron processors, Google's Willow chip — have hundreds to thousands of physical qubits, but the "cryptographically relevant" quantum computer that could break current encryption standards requires millions of error-corrected logical qubits. We are likely a decade or more away from that capability.

So why does post-quantum password security matter now? Two reasons: the harvest now, decrypt later attack model, and the preparation window for long-lived secrets and infrastructure.

Harvest now, decrypt later

Nation-state adversaries and well-resourced attackers are actively collecting encrypted data today with the intention of decrypting it when quantum computers become capable. This is the "harvest now, decrypt later" (HNDL) threat model.

For passwords specifically, the HNDL model is less concerning than it is for asymmetric encryption (TLS traffic, encrypted emails) because: passwords are typically salted and hashed rather than encrypted, and the attacker needs to crack an individual hash, not decrypt a ciphertext stream. However, there are specific password-adjacent scenarios where HNDL matters:

Encrypted backup files containing password stores (LastPass-style vaults)
Encrypted archives containing sensitive documents that remain valuable long-term
Long-lived API keys and secrets used for systems with 10+ year operational horizons
SSH private keys stored in encrypted form and transmitted or stored in third-party systems

How quantum affects passwords specifically

The quantum threat to passwords comes primarily from Grover's algorithm — a quantum search algorithm that provides a quadratic speedup in searching unsorted data. The security implications:

For a password stored as a hash: A classical computer requires O(N) operations to brute-force an N-element search space. Grover's algorithm reduces this to O(√N) — the square root. This means a quantum computer effectively halves the bit-security of a hash function. A hash that provides 256 bits of classical security provides only 128 bits of quantum security.

For password hashing specifically, this means:

A password with 80 bits of classical entropy has only 40 bits of quantum security
A password with 128 bits of classical entropy has 64 bits of quantum security — still very strong, but the margin is thinner
The passwords most at risk are those in the 40–80 bit range that are considered "adequate" today — they drop to the 20–40 bit range under quantum attack

Importantly, slow hashing algorithms (bcrypt, Argon2id, scrypt) retain their advantage against quantum attackers because Grover's algorithm does not eliminate the cost of hashing — it only reduces the number of hash computations needed. A Grover-based attack on bcrypt-hashed passwords is slower than a Grover-based attack on MD5-hashed passwords by the same factor as classically.

NIST post-quantum standards (2024)

In August 2024, NIST published its first three post-quantum cryptography (PQC) standards:

FIPS 203 (ML-KEM, formerly CRYSTALS-Kyber): Key encapsulation mechanism — replaces RSA and ECC for key exchange. This is the most deployment-critical standard for TLS and encrypted communications.
FIPS 204 (ML-DSA, formerly CRYSTALS-Dilithium): Digital signature algorithm — replaces RSA and ECDSA for signatures. Relevant for code signing, certificate authorities, and authentication protocols.
FIPS 205 (SLH-DSA, formerly SPHINCS+): Hash-based signature scheme — an alternative signature algorithm for contexts requiring conservative assumptions.

For passwords themselves, NIST's guidance is simpler: increase the minimum entropy target. NIST SP 800-131A (Transitioning the Use of Cryptographic Algorithms and Key Lengths) recommends moving toward 128-bit security for long-lived secrets. For passwords, this means targeting 128+ bits of entropy.

What to do about it today

The practical actions for password security in a post-quantum preparation context:

Increase length on long-lived secrets: API keys, service account credentials, and secrets with multi-year operational horizons should use 20+ character randomly generated passwords, providing 128+ bits of entropy. The cost of switching to longer credentials is minimal; the benefit accrues over the lifetime of the secret.
Use Argon2id for new password storage implementations: If you're implementing a password storage system, use Argon2id rather than bcrypt or scrypt. Argon2id's memory-hard design provides additional resistance beyond bcrypt against both classical and quantum cracking attempts.
Audit long-lived encrypted archives: Identify any encrypted archives or backup files containing sensitive data that will remain valuable in 10+ years. Consider re-encrypting with AES-256 (256-bit key, 128-bit quantum security) rather than AES-128.
Monitor NIST PQC adoption timelines: TLS and authentication protocol libraries are actively adding PQC support. Follow the OpenSSL and browser TLS roadmaps — the infrastructure-level changes will happen without requiring action from most users.

What makes a password quantum-safe

Given Grover's algorithm halving effective entropy, a post-quantum safe password is one that provides at least 128 bits of entropy after the quantum reduction — meaning it needs 256 bits of classical entropy to be quantum-safe in theory, or more practically, 128 bits of classical entropy to provide 64 bits of quantum security that remains computationally infeasible.

The practical target for 128-bit classical entropy (64-bit quantum security — very strong):

Random password, full ASCII (94 chars)≥ 20 characters = 131 bits classical

Random password, alphanumeric (62 chars)≥ 22 characters = 131 bits classical

Diceware passphrase (EFF list, 7776 words)≥ 10 words = 129 bits classical

Quantum-safe minimum (NIST recommendation)128 bits classical entropy

PassGeni's post-quantum mode generates 20-character minimum passwords with the full ASCII printable character set, producing approximately 131 bits of classical entropy — 65 bits of quantum security. This is the current NIST-recommended minimum for long-lived secrets in a post-quantum threat model.

Timeline for real-world risk

The honest assessment of when quantum computers become a practical threat to passwords:

Now (2025): No practical quantum threat to passwords. Current quantum computers are too small and too error-prone to threaten any real-world cryptographic system.
2026–2030: Continued progress on quantum error correction. Quantum computers will solve increasingly complex optimisation problems but are unlikely to threaten standard cryptography during this window.
2030–2035: The period where researchers project the first cryptographically relevant quantum computers might emerge — systems capable of breaking RSA-2048 using Shor's algorithm. Password hashing (a symmetric operation vulnerable only to Grover's) is more resistant than asymmetric encryption during this window.
2035+: If large-scale fault-tolerant quantum computers exist, passwords with 128+ bits of entropy remain computationally infeasible to brute-force even against quantum attacks. Passwords in the 56–80 bit range become more vulnerable.

The takeaway: the immediate risk is near zero. The preparation window is now, and the cost of preparation (using longer passwords) is essentially zero. PassGeni's post-quantum mode applies the appropriate increase in length without any additional complexity.

Grover's algorithm explained

For those who want the technical intuition: Grover's algorithm is a quantum search algorithm that can find a target item in an unsorted list of N items in O(√N) operations, compared to O(N) for a classical computer.

Applied to password cracking: if a password has N possible values (determined by length and character set), a classical computer needs on average N/2 guesses to find it by brute force. Grover's algorithm needs approximately √N guesses — the square root. This is why bit security halves: if N = 2^k, then √N = 2^k/2, which is k/2 bits.

Grover's advantage is real but bounded. Unlike Shor's algorithm (which breaks RSA exponentially, making it practically impossible to compensate with longer keys), Grover's quadratic speedup can be compensated for by doubling the key length. For passwords, this means targeting twice the bits of entropy you'd want against a classical attacker. 128 bits classically → 64 bits quantumly, still computationally infeasible for any foreseeable quantum hardware.

Frequently asked questions

What is post-quantum password security?

Post-quantum password security refers to generating and storing credentials with sufficient entropy to resist attacks from quantum computers. Quantum computers using Grover's algorithm can theoretically halve the effective bit security of symmetric keys — a 128-bit key becomes effectively 64-bit. This means passwords need higher entropy and longer lengths to maintain equivalent security.

Are quantum computers a threat to passwords right now?

Not yet — current quantum computers (2025) cannot break real-world passwords at any scale. However, credentials generated today may still be in use in 10-15 years when quantum capabilities may be more advanced. Generating post-quantum resistant credentials now costs nothing extra and is a prudent risk-adjusted decision for long-lived secrets.

How does Grover's algorithm threaten password security?

Grover's algorithm is a quantum search algorithm that provides a quadratic speedup over classical brute-force search. Against a password with N bits of entropy, a classical computer needs O(2^N) operations. A quantum computer using Grover's needs O(2^(N/2)) — effectively halving the bit security. A 128-bit entropy password retains only 64 bits of effective security against a quantum attacker.

What does NIST's post-quantum cryptography guidance mean for passwords?

NIST's 2024 Post-Quantum Cryptography standards (FIPS 203, 204, 205) primarily address asymmetric encryption and digital signatures. For symmetric keys and passwords (which use hashing), the guidance is to use at least 256-bit security to maintain 128-bit post-quantum security. For password generation, this means targeting 128+ bits of entropy minimum.

How do I generate post-quantum secure passwords?

Use PassGeni's Post-Quantum mode, which automatically targets 128+ bits of entropy through longer length (minimum 20 characters), expanded character set, and no predictable patterns. This ensures passwords remain secure even against the quadratic speedup Grover's algorithm provides to quantum attackers.

What length password is post-quantum secure?

A password needs sufficient entropy to maintain security after Grover's algorithm halves effective bit strength. A 20+ character random password from the full printable ASCII set (95 characters) provides approximately 131 bits of entropy — equivalent to 65.5 bits against a quantum attacker. This is well above the 64-bit threshold considered computationally infeasible.

Should I change all my passwords for post-quantum security?

For most accounts, current password lengths (16+ characters, random) provide adequate post-quantum security. The accounts worth upgrading to 20+ character passwords now are those with very long expected lifetimes — service accounts, infrastructure credentials, encryption keys, and anything protecting data that must remain confidential for decades.

Does post-quantum mode affect how passwords look?

Post-quantum mode in PassGeni generates longer passwords (20+ characters minimum) with a fuller character set. The passwords look similar to standard generated passwords but are longer and have higher entropy. The visual difference is minor; the security improvement against future quantum attacks is meaningful.

Are passphrases post-quantum secure?

A 6-word Diceware passphrase provides approximately 77.5 bits of entropy — equivalent to about 38 bits against a quantum attacker using Grover's algorithm. This is below recommended post-quantum thresholds. For post-quantum passphrase security, use 8+ words (providing ~103 bits, or 51.5 bits post-quantum).

What's the timeline for quantum computers threatening current passwords?

Credible estimates suggest cryptographically relevant quantum computers capable of attacking current encryption are 10-20 years away, with significant uncertainty. The 'harvest now, decrypt later' threat model — where adversaries collect encrypted data today to decrypt once quantum computers exist — applies more to asymmetric encryption than to password authentication, which requires real-time access.

← All guides Generate password →