Post-Quantum Cryptography: Why Credentials Are the First Target

The public-key cryptography protecting today's credentials and encrypted data faces an expiration date. While no existing machine can crack RSA or elliptic curve cryptography, quantum hardware is advancing toward a milestone — Q-day — when Shor's algorithm, proven in 1994, will efficiently factor large numbers and compute discrete logarithms. This makes asymmetric encryption the primary vulnerability, not symmetric ciphers like AES-256 or modern hashing algorithms, which remain largely resistant to quantum attacks.

The threat is not purely future tense. The Harvest Now, Decrypt Later tactic allows adversaries to capture encrypted traffic today and stockpile it for decryption once quantum capability arrives. According to the Global Risk Institute's 2025 Quantum Threat Timeline report, 51-70% of surveyed specialists believe a cryptographically relevant quantum computer could emerge within 15 years. Any sensitive data harvested now should be treated as already exposed.

Government agencies are already setting firm deadlines. The NSA's Commercial National Security Algorithm Suite 2.0 mandates quantum-resistant algorithm support for national security systems beginning January 1, 2027, with full quantum resistance targeted by 2035. NIST's draft IR 8547 deprecates RSA-2048 and ECC P-256 after 2030 and disallows them entirely after 2035. Yet enterprise transitions typically span 5 to 15 years, with the discovery phase alone consuming 1-2 years in large organizations.

Credentials present the highest risk because their confidentiality lifetime spans years or decades — far longer than session tokens or transient data. Once public-key cryptography breaks, attackers can impersonate users, forge digital signatures, and bypass authentication systems built on RSA and ECC. Organizations should audit their cryptographic dependencies immediately, inventory where credentials are issued and validated, and begin migrating to NIST-standardized post-quantum algorithms. Security teams can start by assessing current exposure with a password checker and reviewing certificate configurations via an SSL/TLS checker, while individuals can verify whether their credentials have already been harvested using an email breach checker.