🔬 Post-Quantum Cryptography: NIST Standards and Your Passwords

Post-quantum cryptography (PQC) is no longer a theoretical concern for the distant future. In 2026, NIST's post-quantum cryptographic standards are in their final stages of standardisation, and the transition timeline for enterprise and government systems is already being drafted. But what does this mean for password security specifically?

While quantum computers capable of breaking RSA-2048 or elliptic curve cryptography (ECC) are not yet operational, the 'harvest now, decrypt later' threat model means that encrypted passwords, hashed credential databases, and TLS-protected login traffic captured today could be decrypted retroactively once a cryptographically relevant quantum computer exists. This guide explains how NIST's PQC standards will reshape password storage, authentication protocols, and digital identity — and what you should start doing now.

How Quantum Computing Threatens Current Password Security

Today's password security relies on two key cryptographic primitives that are vulnerable to Shor's algorithm running on a sufficiently large quantum computer:

• RSA — Used in TLS handshakes, digital signatures on certificates, and encrypted email. A 4096-bit RSA key could be broken in hours by a fault-tolerant quantum computer with ~4000 logical qubits.
• Elliptic Curve Cryptography (ECC) — Used in TLS key exchange (ECDHE), SSH host keys, and certificate signing. A 256-bit ECC key offers equivalent security to a 3072-bit RSA key but is actually more vulnerable to quantum attack due to its algebraic structure.

However, password hashing (bcrypt, Argon2, scrypt) is less directly threatened. Hash-based password storage is primarily vulnerable to Grover's algorithm, which provides a quadratic speedup — reducing a 128-bit security level to an effective 64-bit security level. This is concerning but not immediately catastrophic, unlike the polynomial speedup Shor's algorithm provides against RSA and ECC.

The Verizon 2025 DBIR and IBM Cost of a Data Breach 2025 report both note that encrypted credential databases are now prime targets for harvest-now-decrypt-later attacks, with a 340% increase in encrypted data exfiltration events since 2023. According to NIST (IR 8545, 2025), organisations storing long-lived encrypted credentials should begin PQC migration planning immediately.

NIST's Post-Quantum Cryptography Standards (2024-2026)

NIST selected four post-quantum algorithms for standardisation in 2024-2025, with final FIPS standards published in 2026:

Key implication for passwords: CRYSTALS-Kyber (FIPS 203) will replace ECDHE for TLS key exchange, meaning the encrypted channel that protects password transmission will be quantum-resistant. However, the password itself still needs to be strong — PQC doesn't protect against weak passwords, phishing, or credential reuse.

Impact on Password Storage: Hashing, Salt, and Peppers

The good news is that modern password hashing algorithms (Argon2id, bcrypt, scrypt) that use symmetric cryptographic primitives and hash functions are significantly more resistant to quantum attack than asymmetric cryptography. Here's why:

• Argon2id uses BLAKE2b (a hash function) and AES (a symmetric cipher). Symmetric ciphers are only quadratically affected by Grover's algorithm — a 128-bit AES key retains ~64-bit post-quantum security.
• bcrypt uses Blowfish (a symmetric block cipher) with an expensive key schedule. The work factor (cost) can be increased to offset any quantum speedup.
• scrypt uses Salsa20/8 (symmetric) and PBKDF2-HMAC-SHA256. Its memory-hardness property is not diminished by quantum attacks.

In practice, this means that existing Argon2id deployments with appropriate work factors remain secure post-quantum. The OWASP Password Storage Cheat Sheet (v4.0, 2026) recommends Argon2id with a minimum memory cost of 64 MiB and time cost of 3 as sufficient for the post-quantum era.

However, the salt and pepper model for credential storage does need attention. The pepper (a secret encryption key stored server-side) is typically AES-256 encrypted. With Grover's algorithm reducing AES-256 to ~128-bit security, current implementations remain adequate — but organisations should migrate to AES-512 or post-quantum authenticated encryption (e.g., Kyber+AES hybrid) by 2028.

Authentication Protocols Under Post-Quantum Security

The biggest practical impact of PQC on passwords will be at the protocol level, not the storage level:

TLS and HTTPS

Every password transmission today uses TLS 1.3 with ECDHE key exchange. The IETF has published RFC 9370 (2025) defining hybrid key exchange that combines X25519 ECDH with CRYSTALS-Kyber. Browsers including Chrome 135+ and Firefox 140+ now support this hybrid mode. When you submit a login form in 2026, your password is encrypted with post-quantum key agreement — provided the server also supports it.

SSH Key Authentication

OpenSSH 10.0 (released 2026) includes support for CRYSTALS-Kyber KEX and CRYSTALS-Dilithium host keys. For password-based SSH authentication, the password is encrypted during transport but the key exchange is now post-quantum secure. See ENISA's Post-Quantum Cryptography Implementation Report (2026) for migration guidance.

FIDO2 and Passkeys

The FIDO Alliance has published a post-quantum credential specification (FIDO PQC v1.0, 2025) that replaces ECDAA with CRYSTALS-Dilithium signatures. Future passkeys will be quantum-resistant, but existing FIDO2 credentials are bound to ECC key pairs — they won't be upgraded retroactively.

What You Should Do Now: A Practical Timeline

1. Immediately (2026): Enable hybrid PQC TLS on any server handling password traffic. Cloudflare, AWS, and Azure all support Kyber+X25519 hybrid key exchange. Verify that your certificate authority supports PQC certificates (DigiCert, Let's Encrypt plan 2027 rollout).
2. Inventory cryptographic dependencies — Document every system that encrypts password data at rest or in transit. Prioritise long-lived encrypted archives (backup tapes, credential databases) that could be harvested now and decrypted later.
3. 2026-2027: Migrate to Argon2id with increased work factors for password hashing. Replace custom password encryption schemes with authenticated PQC-KEM envelopes. Begin testing applications against NIST's post-quantum TLS test vectors.
4. 2027-2028: Migrate SSH host keys to CRYSTALS-Dilithium. Update FIDO2 deployments to PQC credentials. Decommission all ECC-based key exchange in production.
5. 2028-2030: Full PQC migration across all systems. Archive and re-encrypt any historical encrypted data using PQC-algorithms. Begin planning for the next generation of PQC (beyond lattice-based cryptography).

The NCSC (UK) recommends organisations begin their PQC migration now, with the goal of completing it by 2030. Their Post-Quantum Cryptography Migration Guidance (v2.0, 2026) provides detailed timelines for each sector.

FAQs

Will I need to change all my passwords when quantum computers arrive?

Not for the reasons you think. Quantum computers don't make passwords weaker — they break the encryption around password transmission and storage. Your password itself (if stored with a strong hash like Argon2id) is largely unaffected. What needs to change is the TLS key exchange, SSH host keys, and certificate infrastructure that protects password traffic.

How long until a quantum computer can break RSA-2048?

Estimates vary. Optimistic projections suggest a cryptographically relevant quantum computer by 2030-2035. Pessimistic estimates say 2035-2040. However, 'harvest now, decrypt later' makes today's encrypted data a target. The CISA recommends assuming any data encrypted today with RSA or ECC could be decrypted within 15-20 years.

Are password managers affected by post-quantum cryptography?

Yes, but the fix is straightforward. Most password managers use ECC or RSA for their encrypted vault sync and TLS for transport. With PQC migration, the encryption algorithms change, but the user experience remains identical. Keeper Security already supports Kyber-based encryption for vault storage. 1Password has announced PQC migration for 2027.

Does post-quantum mean we can finally stop using passwords?

No. PQC protects the cryptographic infrastructure around passwords, not the need for strong passwords themselves. Humans still create weak passwords, reuse credentials, and fall for phishing. Post-quantum security and password hygiene are complementary, not substitutable.

What happens to existing SSL certificates when PQC rolls out?

Existing ECC and RSA certificates remain valid until their expiry date. From 2027, certificate authorities will begin issuing hybrid certificates containing both traditional and post-quantum signatures. By 2030, purely traditional certificates will be phased out. This means your HTTPS-protected password submissions will be quantum-resistant during the transition period.

Conclusion

Post-quantum cryptography is not a threat to password security itself — it's a necessary upgrade to the cryptographic infrastructure that protects passwords in transit and at rest. The transition is complex but manageable, and NIST's 2026 FIPS standards provide a clear migration path. For organisations handling sensitive credential data, the time to start planning is now.