Abstract
Key Points at a Glance
- Passwords are protected by password hashing and symmetric cryptography—Grover's algorithm gives only a quadratic speedup in ideal brute-force search, not the exponential break that media headlines imply.
- Today's RSA and elliptic-curve public-key cryptography are broken by Shor's algorithm on a sufficiently large fault-tolerant quantum computer—this is the actual quantum threat to online security.
- A strong password (16+ random alphanumeric characters, or longer passphrases) retains a strong margin against known quantum brute-force attacks, especially when stored with a memory-hard password hashing function.
- The real danger is indirect: quantum computers break the authentication and key-exchange layer (TLS) that protects password transmission—exposing passwords in transit, not in storage.
- Mitigation already exists: post-quantum cryptography standards (ML-KEM, ML-DSA) are being deployed to protect the transport layer today.
1. The Myth: "Quantum Computers Will Crack All Passwords Instantly"
Search "quantum computer password" and you'll find thousands of articles claiming quantum computers will render all passwords useless overnight. This narrative conflates two fundamentally different branches of cryptography:
- Symmetric cryptography and hashing—used to store passwords and encrypt data at rest. Examples: AES, bcrypt, Argon2, SHA-256.
- Asymmetric (public-key) cryptography—used to transport passwords securely over the Internet and to authenticate servers. Examples: RSA, ECDH, ECDSA.
Quantum computers pose a catastrophic threat to the second category once large fault-tolerant machines exist, but only a manageable and much less direct threat to the first. The confusion arises because most people think of "encryption" as a single monolithic thing. It isn't. When you type your password into a login form, at least three different cryptographic systems are at work: TLS key exchange (asymmetric), TLS authentication (asymmetric), and password storage on the server (password hashing). Quantum computers threaten today's RSA and elliptic-curve versions of the first two through Shor's algorithm—and the third only through Grover-style search, with substantial implementation overhead for real password hashing functions.
2. How Passwords Are Actually Protected
When a website stores your password, it does not keep the password itself. Instead, it runs the password through a one-way hash function—a mathematical blender that produces a fixed-length output (the "hash") from which the original password cannot be recovered. When you log in, the server hashes your input and compares it to the stored hash.
Password Hashing: Designed to Be Slow
Modern password hashing algorithms—Argon2id, bcrypt, and scrypt—are deliberately expensive to compute. Each verification can require significant memory and CPU time, making brute-force enumeration of password guesses costly even on classical hardware. The exact cost depends on the algorithm parameters and hardware, so password-hash attack estimates should be treated as system-specific rather than universal constants. This matters for quantum analysis too: a Grover oracle for a password attack must implement the full verification computation, including the cost of memory-hard password hashing where applicable.
Symmetric Encryption: No Algebraic Shortcut
Symmetric algorithms like AES-256 protect data with a shared secret key. Their security rests on the absence of exploitable mathematical structure—there is no hidden periodicity, no group structure, no algebraic shortcut comparable to the one Shor's algorithm uses against RSA and elliptic curves. The generic attack is brute force: try possible keys until the right one is found. For AES-256, that means an ideal search space of 2256 possibilities classically, or roughly 2128 Grover iterations in the ideal quantum model.
Why Structure Matters
Shor's algorithm exploits hidden algebraic periodicity—the regular mathematical patterns inside RSA's modular exponentiation and elliptic curve group operations. Symmetric ciphers and hash functions deliberately avoid such structure. Without it, quantum computers have no exponential shortcut. They can search faster (via Grover), but they cannot leap to the answer.
3. Grover's Algorithm: The Real Quantum Threat to Passwords
In 1996, Lov Grover published a quantum algorithm for unstructured search: given a function that outputs "yes" for exactly one input out of N possibilities, Grover's algorithm finds that input in approximately √N steps instead of N/2 on average classically. This is a quadratic speedup—significant, but not the exponential devastation of Shor's algorithm.
These iteration counts are best understood as idealised query complexity, not direct wall-clock cracking times. A real quantum attack must implement the target computation as a reversible quantum oracle, pay the cost of fault-tolerant error correction, and repeat the oracle many times. For password hashes such as Argon2id or scrypt, memory-hardness further complicates the attack model.
What This Means in Practice
Applied to cryptographic brute-force:
- A 128-bit key (AES-128) requires 2128 classical guesses but only ~264 Grover iterations
- A 256-bit key (AES-256) requires 2256 classical guesses but only ~2128 Grover iterations
- A 16-character random alphanumeric password (roughly 95 bits of entropy) would require ~247.5 Grover iterations in the ideal search model instead of ~295 classical guesses
The mitigation for symmetric keys is straightforward: increase the key length to restore the desired security margin against Grover-style search. AES-256 provides roughly 128 bits of ideal quantum search security—similar to the classical security margin commonly associated with AES-128. For passwords, the equivalent mitigation is longer, randomly generated, unique passwords combined with slow, salted, memory-hard password hashing.
Shor's Algorithm
Targets: RSA, ECDH, ECDSA
Exponential speedup — reduces RSA and elliptic-curve security from infeasible classically to polynomial time on a sufficiently large fault-tolerant quantum computer.
Broken under CRQCGrover's Algorithm
Targets: AES, SHA, password hashes
Quadratic speedup — halves the ideal bit-security. AES-256 goes from 2256 classical search to roughly 2128 Grover iterations.
Manageable marginWhy Grover Is Not Practical Yet
Running Grover's algorithm against AES-128 would require about 264 ideal Grover iterations, plus a reversible quantum circuit implementing the full AES round function as an oracle and substantial fault-tolerant error-correction overhead. Current publicly known quantum computers remain noisy and are far from the scale required for cryptanalytic attacks. Grover search also does not parallelise as efficiently as classical brute force: splitting the search across multiple quantum processors gives a limited improvement compared with the near-linear parallelism of classical brute-force search. The practical threat from Grover remains much less urgent than the threat Shor's algorithm poses to public-key cryptography.
| Target | Bit Strength | Classical Attack | Quantum (Grover) | Verdict |
|---|---|---|---|---|
| 8-char password (mixed case + digits) | ~47.6 bits | Weak against modern offline attacks | ~223.8 ideal Grover iterations | Weak |
| 12-char random alphanumeric password | ~71.5 bits | Strong only if truly random and well hashed | ~235.8 ideal Grover iterations | Reduced margin |
| 16-char random alphanumeric password | ~95.3 bits | Strong against realistic offline attacks | ~247.6 ideal Grover iterations | Strong margin |
| 20-char random alphanumeric password | ~119.1 bits | Very strong margin | ~259.6 ideal Grover iterations | Strong margin |
| AES-128 key | 128 bits | ~2128 ideal key search | ~264 ideal Grover iterations | Reduced quantum margin |
| AES-256 key | 256 bits | ~2256 ideal key search | ~2128 ideal Grover iterations | Strong margin |
| RSA-2048 key | ~112 bits (classical) | Classically infeasible | Polynomial time with Shor on a CRQC | Broken under CRQC |
| ECDSA P-256 key | ~128 bits (classical) | Classically infeasible | Polynomial time with Shor on a CRQC | Broken under CRQC |
4. What Quantum Computers Actually Break
The real quantum catastrophe is not about passwords directly—it's about the public-key infrastructure that underpins the entire Internet. Every time you visit a website, your browser performs a TLS handshake that usually uses:
- Key exchange (ECDH or RSA)—to agree on a shared session key without transmitting it in the open
- Digital signatures (ECDSA or RSA)—to verify that you're talking to the real server, not an impostor
Shor's algorithm breaks today's RSA and elliptic-curve versions of both operations in polynomial time on a sufficiently large fault-tolerant quantum computer. This means a cryptographically relevant quantum computer could:
- Break the key exchange and recover the session key
- Decrypt all traffic in the session, including any password you type
- Forge digital signatures, impersonating any server
Your Password Is Only as Safe as the Channel That Carries It
Even a 64-character, perfectly random password does not protect the login flow if the TLS connection carrying it to the server can be decrypted or impersonated by a quantum-equipped adversary. The password itself can retain a strong quantum margin; the classical public-key channel does not. This is why the real urgency is upgrading public-key infrastructure to hybrid post-quantum TLS and post-quantum authentication, not merely changing password policies.
The Harvest-Now, Decrypt-Later Threat
State-level adversaries can intercept and store encrypted network traffic today. When a cryptographically relevant quantum computer arrives, they may be able to retroactively decrypt sessions captured years earlier—recovering sensitive data, long-lived credentials, or reusable secrets that crossed the wire. This Harvest-Now, Decrypt-Later attack is not merely theoretical; it is documented in NIST guidance as a current planning concern.
5. The Indirect Threat: Passwords in a Post-Quantum World
Understanding the complete picture requires seeing how passwords interact with public-key cryptography at every stage of the authentication lifecycle:
Password Transmission
When you submit a login form, your password travels over a TLS-encrypted connection. If the TLS key exchange or server authentication still relies only on classical RSA or elliptic-curve cryptography and is broken by a cryptographically relevant quantum computer, the password can be exposed in transit—regardless of how well it is stored on the server.
Session Tokens and OAuth
After authentication, your browser receives a session cookie or OAuth token. These are transmitted over the same TLS channel. Break the channel, and you can steal the session without ever needing the password.
Password Reset Flows
Password reset emails contain tokens or links. Email transport often relies on TLS via STARTTLS, but deployment and enforcement vary across mail paths. A quantum attacker who can decrypt or impersonate vulnerable transport connections could capture reset tokens and take over accounts without touching the password hash.
The Full Attack Surface
Even if your password hash stored on the server has a strong quantum margin, many other links in the authentication chain still rely on public-key cryptography that Shor's algorithm breaks when RSA or elliptic curves are used: TLS key exchange, TLS server authentication, certificate authorities, OAuth token exchange, and email transport encryption. The password hash can be the strongest link in a chain where multiple other links are quantum-vulnerable.
6. What You Should Do Today
The good news: the solutions already exist and are being deployed. Here is what individuals and organisations should prioritise:
For Individuals
- Use strong, unique passwords—16+ random alphanumeric characters provide about 95 bits of entropy, while longer passphrases can also provide strong protection if generated with enough randomness. Use a unique password for every account.
- Use a password manager—it generates and stores random passwords that humans cannot remember, making long passwords practical for every account.
- Enable FIDO2/passkeys where available—passkeys eliminate transmission of a reusable password and use origin-bound challenge-response authentication. They reduce the impact of password interception, although TLS remains essential for protecting the session, cookies, tokens, and server identity.
- Enable multi-factor authentication (MFA)—even if a password is compromised via a broken TLS session, a second factor (TOTP, hardware key) adds a layer that cannot be extracted from network traffic alone.
- Don't panic about changing passwords—your stored password hashes are not the weak link. Focus on account security hygiene (MFA, passkeys) rather than rotating passwords more frequently.
For Organisations and Developers
- Deploy hybrid post-quantum TLS key exchange—modern browser and infrastructure ecosystems are moving toward X25519MLKEM768. Enable hybrid post-quantum key exchange where available to protect data in transit against harvest-now attacks, and track the separate migration path for post-quantum certificate signatures.
- Inventory your public-key dependencies—map every TLS termination point, VPN gateway, certificate authority, and key management system. These are your quantum-vulnerable surfaces.
- Use Argon2id or another modern slow, salted password hashing function for password storage—Argon2id is the preferred modern choice in many deployments, while bcrypt and scrypt remain common alternatives when configured properly. Do not store passwords with fast general-purpose hashes such as SHA-256 alone.
- Implement cryptographic agility—design systems to swap algorithms (e.g., from ECDH to ML-KEM) without architectural overhaul.
- Monitor PQC deployment timelines—NIST, BSI, and NCSC all publish migration guidance. Track their deadlines for your compliance requirements.
Check Your TLS Quantum Readiness
Want to verify whether your website or service already supports post-quantum key exchange? Use our PQC Tools to test your TLS configuration for hybrid ML-KEM support.
7. The Bottom Line
The quantum threat to passwords is real but widely misunderstood. Here is the complete picture in one table:
| What | Quantum Threat | Why | Verdict |
|---|---|---|---|
| Password hash (Argon2id, bcrypt, scrypt) | Grover-style search, with oracle overhead | Halves ideal search bit-security; strong random passwords plus memory-hard hashing retain a strong margin | STRONG MARGIN |
| AES-256 encrypted data | Grover (quadratic) | 256 → roughly 128-bit ideal quantum search security | STRONG MARGIN |
| SHA-256 / HMAC | Grover and related quantum search bounds | Preimage resistance is reduced in the ideal model; HMAC remains strongly conservative when used correctly | STRONG MARGIN |
| RSA-2048 (TLS, signatures) | Shor (exponential) | Factoring solved in polynomial time on a CRQC | BROKEN UNDER CRQC |
| ECDH / ECDSA (TLS key exchange and signatures) | Shor (exponential) | Discrete logarithm solved in polynomial time on a CRQC | BROKEN UNDER CRQC |
| Password in transit (over classical RSA/ECC-only TLS) | Shor (indirect) | Vulnerable key exchange or authentication can expose or impersonate the channel | QUANTUM-VULNERABLE |
| Password in transit (over hybrid PQC TLS key exchange) | No known efficient quantum attack against the key exchange | ML-KEM hybrid key exchange protects confidentiality; certificate-signature migration is a related but separate requirement | STRONGER, NOT COMPLETE |
The real urgency is not about passwords themselves—it's about migrating the public-key infrastructure that protects password transmission, session management, and authentication. Passwords and symmetric cryptography can retain strong security margins with high entropy, proper hashing, and conservative key sizes. The public-key layer requires a fundamental algorithmic replacement—and that replacement (ML-KEM, hybrid TLS key exchange, and post-quantum signatures) is already being standardised and deployed.
Related Reading
ML-KEM Deep Dive Hybrid TLS Explained HNDL Threat
How to Cite This Article
APA: PostQuantumSecurity.org. (2026, June 21). Will Quantum Computers Break Your Password? https://www.postquantumsecurity.org/publications/pqc_password.html
IEEE: PostQuantumSecurity.org, "Will Quantum Computers Break Your Password?," Jun. 21, 2026. [Online]. Available: https://www.postquantumsecurity.org/publications/pqc_password.html
LaTeX/BibTeX:
@misc{pqsecurity_password_quantum,
author = {{PostQuantumSecurity.org}},
title = {Will Quantum Computers Break Your Password?},
year = {2026},
month = jun,
day = {21},
url = {https://www.postquantumsecurity.org/publications/pqc_password.html}
}
References
- Grover, L. K. (1996). A fast quantum mechanical algorithm for database search. Proceedings of the 28th Annual ACM Symposium on Theory of Computing (STOC), 212–219. https://doi.org/10.1145/237814.237866
- Shor, P. W. (1997). Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing, 26(5), 1484–1509. https://doi.org/10.1137/S0097539795293172
- National Institute of Standards and Technology (NIST). (2016). NISTIR 8105: Report on Post-Quantum Cryptography. https://csrc.nist.gov/pubs/ir/8105/final
- National Institute of Standards and Technology (NIST). (2024). FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard. https://csrc.nist.gov/pubs/fips/203/final
- Jaques, S., Naehrig, M., Roetteler, M., & Virdia, F. (2020). Implementing Grover oracles for quantum key search on AES and LowMC. EUROCRYPT 2020, LNCS 12106. https://doi.org/10.1007/978-3-030-45724-2_10
- Grassl, M., Langenberg, B., Roetteler, M., & Steinwandt, R. (2016). Applying Grover's algorithm to AES: Quantum resource estimates. Post-Quantum Cryptography (PQCrypto 2016), LNCS 9606. https://doi.org/10.1007/978-3-319-29360-8_3
- Biham, E., Boyer, M., Boykin, P. O., Mor, T., & Roychowdhury, V. (1999). A proof of the security of quantum key distribution (includes analysis of Grover parallelization limits). https://doi.org/10.1145/335305.335406
- Bundesamt für Sicherheit in der Informationstechnik (BSI). (2025). TR-02102-1: Cryptographic mechanisms: Recommendations and key lengths. https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.html
- National Institute of Standards and Technology (NIST). (2024). SP 800-63B-4: Digital Identity Guidelines: Authentication and Authenticator Management. https://pages.nist.gov/800-63-4/sp800-63b.html
- OWASP Foundation. Password Storage Cheat Sheet. https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html