As quantum computing advances, the security of current encrypted data, particularly credentials, is at risk. While today’s quantum computers cannot yet break public-key cryptography methods like RSA or elliptic curve cryptography, rapid progress in quantum hardware suggests that this will change. Attackers can intercept and store encrypted data now, with the intention of decrypting it once quantum capabilities mature.
Assessing the Urgency of Quantum-Resistant Cryptography
The Global Risk Institute’s 2025 Quantum Threat Timeline report indicates that a significant majority of security experts anticipate the arrival of quantum computers capable of breaking current cryptographic systems within the next 15 years. This concern stems from Peter Shor’s 1994 discovery that quantum algorithms can efficiently solve problems that underpin public-key cryptography. While symmetric encryption methods like AES-256 remain secure against quantum attacks, the vulnerability of public-key systems is critical because they establish trust and key agreements. If compromised, attackers could access protected data and credentials.
The immediate threat lies in the “Harvest Now, Decrypt Later” strategy, where adversaries collect encrypted data today to decrypt in the future when quantum technology becomes available. Given the plausible development of such quantum computers within 15 years, data intercepted now should be considered potentially exposed.
Government Initiatives and Deadlines
Recognizing the impending quantum threat, government agencies are setting deadlines for transitioning to quantum-resistant cryptography. The NSA’s Commercial National Security Algorithm Suite 2.0 mandates that new national security systems support quantum-resistant algorithms starting January 1, 2027, with a goal for all systems to be quantum-resistant by 2035. Similarly, NIST’s draft IR 8547 plans to deprecate RSA-2048 and ECC P-256 after 2030, disallowing them entirely post-2035. Although these deadlines may seem distant, transitioning large enterprises can take 5 to 15 years, with the initial discovery phase alone requiring 1 to 2 years.
Credentials: A High-Risk Target in a Post-Quantum World
Within organizations, not all encrypted data faces equal risk as cryptographic methods become obsolete. While some secrets, like session tokens, have short confidentiality lifespans, credentials often persist for years, as long as their associated systems are operational. This longevity makes credentials particularly valuable to attackers employing the “Harvest Now, Decrypt Later” approach. The risk is amplified by the proliferation of Non-Human Identities (NHIs), such as service accounts and API keys, which are typically long-lived and may lack regular rotation or inventory checks, making them prime targets for harvesting.
Initiating a Credentials-Focused Quantum Migration
Given that credentials represent a concentrated risk, organizations should prioritize them in their quantum migration strategies. A credentials-first approach involves several key steps:
Inventory Existing Cryptographic Assets
Organizations often struggle with migrations due to a lack of comprehensive knowledge about their cryptographic dependencies. Initiating an inventory focused on credentials involves identifying systems that store or manage secrets, including password managers, secrets managers, and Privileged Access Management (PAM) platforms. This process may uncover forgotten service accounts, hardcoded secrets, or dormant integrations.
Prioritize Based on Risk Exposure
Rather than focusing solely on the size of systems, organizations should assess the confidentiality lifespan and exposure of their credentials. A small, long-lived secret that grants access to critical systems poses a greater risk than a large but short-lived dataset. Prioritizing based on this risk assessment ensures that the most vulnerable credentials are secured first.
Adopt Hybrid Cryptographic Solutions
Instead of outright replacing classical algorithms, organizations can implement hybrid cryptography, combining traditional algorithms with quantum-resistant ones in the same key exchange. This approach safeguards against both current and future threats, maintaining protection while transitioning to quantum-resistant methods.
Develop Crypto-Agility
Recognizing that cryptographic standards evolve, organizations should build systems with crypto-agility, allowing for seamless algorithm updates without extensive re-engineering. Centralizing cryptographic functions ensures that changes can be implemented efficiently across applications, pipelines, and integrations.
Proactively addressing the quantum threat by focusing on credentials is essential. The potential for attackers to harvest and later decrypt sensitive data underscores the need for immediate action. By prioritizing credentials in their quantum migration plans, organizations can mitigate risks and prepare for a secure future in the quantum era.
