Will Quantum Computers Break Your Password?

Type: Technical Briefing
Published: June 2026
Keywords: Quantum Computing, Passwords, Grover's Algorithm, Symmetric Cryptography, Public-Key Cryptography, Post-Quantum Cryptography

Abstract

Headlines warn that quantum computers will crack every password on the planet. The reality is more nuanced—and more interesting. Passwords are protected by password hashing and symmetric cryptography, where the best known generic quantum attack (Grover's algorithm) provides only a quadratic speedup: in an ideal unstructured search, it halves the effective bit-strength rather than destroying it. A 256-bit symmetric key becomes roughly 128-bit secure against a quantum attacker—still far beyond brute-force reach under known attacks. The genuine quantum threat lies elsewhere: Shor's algorithm delivers an exponential speedup against today's public-key cryptography (RSA, Elliptic Curve Diffie-Hellman, Elliptic Curve Digital Signature Algorithm) that protects Transport Layer Security (TLS) key exchange and server authentication. In other words, quantum computers are unlikely to guess a strong password directly—but they could break the classical public-key lock on the channel that carries it. This article separates myth from mathematics, explains what is and isn't at risk, and outlines what individuals and organisations should do today.

Key Points at a Glance

  • Passwords are protected by password hashing and symmetric cryptography—Grover's algorithm gives only a quadratic speedup in ideal brute-force search, not the exponential break that media headlines imply.
  • Today's RSA and elliptic-curve public-key cryptography are broken by Shor's algorithm on a sufficiently large fault-tolerant quantum computer—this is the actual quantum threat to online security.
  • A strong password (16+ random alphanumeric characters, or longer passphrases) retains a strong margin against known quantum brute-force attacks, especially when stored with a memory-hard password hashing function.
  • The real danger is indirect: quantum computers break the authentication and key-exchange layer (TLS) that protects password transmission—exposing passwords in transit, not in storage.
  • Mitigation already exists: post-quantum cryptography standards (ML-KEM, ML-DSA) are being deployed to protect the transport layer today.

1. The Myth: "Quantum Computers Will Crack All Passwords Instantly"

Search "quantum computer password" and you'll find thousands of articles claiming quantum computers will render all passwords useless overnight. This narrative conflates two fundamentally different branches of cryptography:

Quantum computers pose a catastrophic threat to the second category once large fault-tolerant machines exist, but only a manageable and much less direct threat to the first. The confusion arises because most people think of "encryption" as a single monolithic thing. It isn't. When you type your password into a login form, at least three different cryptographic systems are at work: TLS key exchange (asymmetric), TLS authentication (asymmetric), and password storage on the server (password hashing). Quantum computers threaten today's RSA and elliptic-curve versions of the first two through Shor's algorithm—and the third only through Grover-style search, with substantial implementation overhead for real password hashing functions.

2. How Passwords Are Actually Protected

When a website stores your password, it does not keep the password itself. Instead, it runs the password through a one-way hash function—a mathematical blender that produces a fixed-length output (the "hash") from which the original password cannot be recovered. When you log in, the server hashes your input and compares it to the stored hash.

Password Hashing: Designed to Be Slow

Modern password hashing algorithms—Argon2id, bcrypt, and scrypt—are deliberately expensive to compute. Each verification can require significant memory and CPU time, making brute-force enumeration of password guesses costly even on classical hardware. The exact cost depends on the algorithm parameters and hardware, so password-hash attack estimates should be treated as system-specific rather than universal constants. This matters for quantum analysis too: a Grover oracle for a password attack must implement the full verification computation, including the cost of memory-hard password hashing where applicable.

Symmetric Encryption: No Algebraic Shortcut

Symmetric algorithms like AES-256 protect data with a shared secret key. Their security rests on the absence of exploitable mathematical structure—there is no hidden periodicity, no group structure, no algebraic shortcut comparable to the one Shor's algorithm uses against RSA and elliptic curves. The generic attack is brute force: try possible keys until the right one is found. For AES-256, that means an ideal search space of 2256 possibilities classically, or roughly 2128 Grover iterations in the ideal quantum model.

Why Structure Matters

Shor's algorithm exploits hidden algebraic periodicity—the regular mathematical patterns inside RSA's modular exponentiation and elliptic curve group operations. Symmetric ciphers and hash functions deliberately avoid such structure. Without it, quantum computers have no exponential shortcut. They can search faster (via Grover), but they cannot leap to the answer.

3. Grover's Algorithm: The Real Quantum Threat to Passwords

In 1996, Lov Grover published a quantum algorithm for unstructured search: given a function that outputs "yes" for exactly one input out of N possibilities, Grover's algorithm finds that input in approximately √N steps instead of N/2 on average classically. This is a quadratic speedup—significant, but not the exponential devastation of Shor's algorithm.

These iteration counts are best understood as idealised query complexity, not direct wall-clock cracking times. A real quantum attack must implement the target computation as a reversible quantum oracle, pay the cost of fault-tolerant error correction, and repeat the oracle many times. For password hashes such as Argon2id or scrypt, memory-hardness further complicates the attack model.

What This Means in Practice

Applied to cryptographic brute-force:

The mitigation for symmetric keys is straightforward: increase the key length to restore the desired security margin against Grover-style search. AES-256 provides roughly 128 bits of ideal quantum search security—similar to the classical security margin commonly associated with AES-128. For passwords, the equivalent mitigation is longer, randomly generated, unique passwords combined with slow, salted, memory-hard password hashing.

Figure 1: Shor vs Grover — Two Different Quantum Threats

Shor's Algorithm

Targets: RSA, ECDH, ECDSA

Classical
Quantum

Exponential speedup — reduces RSA and elliptic-curve security from infeasible classically to polynomial time on a sufficiently large fault-tolerant quantum computer.

Broken under CRQC

Grover's Algorithm

Targets: AES, SHA, password hashes

Classical
Quantum

Quadratic speedup — halves the ideal bit-security. AES-256 goes from 2256 classical search to roughly 2128 Grover iterations.

Manageable margin
Shor's algorithm exploits algebraic structure for an exponential shortcut against RSA and elliptic-curve cryptography. Grover's algorithm speeds up unstructured search quadratically—significant, but not catastrophic for sufficiently large symmetric keys and high-entropy passwords. Bit-security estimates here are simplified and do not include oracle cost, password-hash memory hardness, or error-correction overhead.

Why Grover Is Not Practical Yet

Running Grover's algorithm against AES-128 would require about 264 ideal Grover iterations, plus a reversible quantum circuit implementing the full AES round function as an oracle and substantial fault-tolerant error-correction overhead. Current publicly known quantum computers remain noisy and are far from the scale required for cryptanalytic attacks. Grover search also does not parallelise as efficiently as classical brute force: splitting the search across multiple quantum processors gives a limited improvement compared with the near-linear parallelism of classical brute-force search. The practical threat from Grover remains much less urgent than the threat Shor's algorithm poses to public-key cryptography.

Figure 2: How Long to Crack Your Password?
Target Bit Strength Classical Attack Quantum (Grover) Verdict
8-char password (mixed case + digits) ~47.6 bits Weak against modern offline attacks ~223.8 ideal Grover iterations Weak
12-char random alphanumeric password ~71.5 bits Strong only if truly random and well hashed ~235.8 ideal Grover iterations Reduced margin
16-char random alphanumeric password ~95.3 bits Strong against realistic offline attacks ~247.6 ideal Grover iterations Strong margin
20-char random alphanumeric password ~119.1 bits Very strong margin ~259.6 ideal Grover iterations Strong margin
AES-128 key 128 bits ~2128 ideal key search ~264 ideal Grover iterations Reduced quantum margin
AES-256 key 256 bits ~2256 ideal key search ~2128 ideal Grover iterations Strong margin
RSA-2048 key ~112 bits (classical) Classically infeasible Polynomial time with Shor on a CRQC Broken under CRQC
ECDSA P-256 key ~128 bits (classical) Classically infeasible Polynomial time with Shor on a CRQC Broken under CRQC
Grover's quadratic speedup reduces the margin of short passwords but leaves long random passwords and AES-256 with a strong margin under known attacks. Shor's algorithm, by contrast, breaks today's RSA and elliptic-curve public-key cryptography on a cryptographically relevant quantum computer (CRQC). Password entropy assumes random selection from 62 alphanumeric characters unless otherwise stated. Quantum iteration counts are idealised and are not wall-clock cracking times.

4. What Quantum Computers Actually Break

The real quantum catastrophe is not about passwords directly—it's about the public-key infrastructure that underpins the entire Internet. Every time you visit a website, your browser performs a TLS handshake that usually uses:

Shor's algorithm breaks today's RSA and elliptic-curve versions of both operations in polynomial time on a sufficiently large fault-tolerant quantum computer. This means a cryptographically relevant quantum computer could:

  1. Break the key exchange and recover the session key
  2. Decrypt all traffic in the session, including any password you type
  3. Forge digital signatures, impersonating any server

Your Password Is Only as Safe as the Channel That Carries It

Even a 64-character, perfectly random password does not protect the login flow if the TLS connection carrying it to the server can be decrypted or impersonated by a quantum-equipped adversary. The password itself can retain a strong quantum margin; the classical public-key channel does not. This is why the real urgency is upgrading public-key infrastructure to hybrid post-quantum TLS and post-quantum authentication, not merely changing password policies.

The Harvest-Now, Decrypt-Later Threat

State-level adversaries can intercept and store encrypted network traffic today. When a cryptographically relevant quantum computer arrives, they may be able to retroactively decrypt sessions captured years earlier—recovering sensitive data, long-lived credentials, or reusable secrets that crossed the wire. This Harvest-Now, Decrypt-Later attack is not merely theoretical; it is documented in NIST guidance as a current planning concern.

5. The Indirect Threat: Passwords in a Post-Quantum World

Understanding the complete picture requires seeing how passwords interact with public-key cryptography at every stage of the authentication lifecycle:

Password Transmission

When you submit a login form, your password travels over a TLS-encrypted connection. If the TLS key exchange or server authentication still relies only on classical RSA or elliptic-curve cryptography and is broken by a cryptographically relevant quantum computer, the password can be exposed in transit—regardless of how well it is stored on the server.

Session Tokens and OAuth

After authentication, your browser receives a session cookie or OAuth token. These are transmitted over the same TLS channel. Break the channel, and you can steal the session without ever needing the password.

Password Reset Flows

Password reset emails contain tokens or links. Email transport often relies on TLS via STARTTLS, but deployment and enforcement vary across mail paths. A quantum attacker who can decrypt or impersonate vulnerable transport connections could capture reset tokens and take over accounts without touching the password hash.

The Full Attack Surface

Even if your password hash stored on the server has a strong quantum margin, many other links in the authentication chain still rely on public-key cryptography that Shor's algorithm breaks when RSA or elliptic curves are used: TLS key exchange, TLS server authentication, certificate authorities, OAuth token exchange, and email transport encryption. The password hash can be the strongest link in a chain where multiple other links are quantum-vulnerable.

6. What You Should Do Today

The good news: the solutions already exist and are being deployed. Here is what individuals and organisations should prioritise:

For Individuals

For Organisations and Developers

Check Your TLS Quantum Readiness

Want to verify whether your website or service already supports post-quantum key exchange? Use our PQC Tools to test your TLS configuration for hybrid ML-KEM support.

7. The Bottom Line

The quantum threat to passwords is real but widely misunderstood. Here is the complete picture in one table:

What Quantum Threat Why Verdict
Password hash (Argon2id, bcrypt, scrypt) Grover-style search, with oracle overhead Halves ideal search bit-security; strong random passwords plus memory-hard hashing retain a strong margin STRONG MARGIN
AES-256 encrypted data Grover (quadratic) 256 → roughly 128-bit ideal quantum search security STRONG MARGIN
SHA-256 / HMAC Grover and related quantum search bounds Preimage resistance is reduced in the ideal model; HMAC remains strongly conservative when used correctly STRONG MARGIN
RSA-2048 (TLS, signatures) Shor (exponential) Factoring solved in polynomial time on a CRQC BROKEN UNDER CRQC
ECDH / ECDSA (TLS key exchange and signatures) Shor (exponential) Discrete logarithm solved in polynomial time on a CRQC BROKEN UNDER CRQC
Password in transit (over classical RSA/ECC-only TLS) Shor (indirect) Vulnerable key exchange or authentication can expose or impersonate the channel QUANTUM-VULNERABLE
Password in transit (over hybrid PQC TLS key exchange) No known efficient quantum attack against the key exchange ML-KEM hybrid key exchange protects confidentiality; certificate-signature migration is a related but separate requirement STRONGER, NOT COMPLETE

The real urgency is not about passwords themselves—it's about migrating the public-key infrastructure that protects password transmission, session management, and authentication. Passwords and symmetric cryptography can retain strong security margins with high entropy, proper hashing, and conservative key sizes. The public-key layer requires a fundamental algorithmic replacement—and that replacement (ML-KEM, hybrid TLS key exchange, and post-quantum signatures) is already being standardised and deployed.

Related Reading

ML-KEM Deep Dive Hybrid TLS Explained HNDL Threat

How to Cite This Article

APA: PostQuantumSecurity.org. (2026, June 21). Will Quantum Computers Break Your Password? https://www.postquantumsecurity.org/publications/pqc_password.html

IEEE: PostQuantumSecurity.org, "Will Quantum Computers Break Your Password?," Jun. 21, 2026. [Online]. Available: https://www.postquantumsecurity.org/publications/pqc_password.html

LaTeX/BibTeX:

@misc{pqsecurity_password_quantum,
  author       = {{PostQuantumSecurity.org}},
  title        = {Will Quantum Computers Break Your Password?},
  year         = {2026},
  month        = jun,
  day          = {21},
  url          = {https://www.postquantumsecurity.org/publications/pqc_password.html}
}

References

  1. Grover, L. K. (1996). A fast quantum mechanical algorithm for database search. Proceedings of the 28th Annual ACM Symposium on Theory of Computing (STOC), 212–219. https://doi.org/10.1145/237814.237866
  2. Shor, P. W. (1997). Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing, 26(5), 1484–1509. https://doi.org/10.1137/S0097539795293172
  3. National Institute of Standards and Technology (NIST). (2016). NISTIR 8105: Report on Post-Quantum Cryptography. https://csrc.nist.gov/pubs/ir/8105/final
  4. National Institute of Standards and Technology (NIST). (2024). FIPS 203: Module-Lattice-Based Key-Encapsulation Mechanism Standard. https://csrc.nist.gov/pubs/fips/203/final
  5. Jaques, S., Naehrig, M., Roetteler, M., & Virdia, F. (2020). Implementing Grover oracles for quantum key search on AES and LowMC. EUROCRYPT 2020, LNCS 12106. https://doi.org/10.1007/978-3-030-45724-2_10
  6. Grassl, M., Langenberg, B., Roetteler, M., & Steinwandt, R. (2016). Applying Grover's algorithm to AES: Quantum resource estimates. Post-Quantum Cryptography (PQCrypto 2016), LNCS 9606. https://doi.org/10.1007/978-3-319-29360-8_3
  7. Biham, E., Boyer, M., Boykin, P. O., Mor, T., & Roychowdhury, V. (1999). A proof of the security of quantum key distribution (includes analysis of Grover parallelization limits). https://doi.org/10.1145/335305.335406
  8. Bundesamt für Sicherheit in der Informationstechnik (BSI). (2025). TR-02102-1: Cryptographic mechanisms: Recommendations and key lengths. https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TG02102/BSI-TR-02102-1.html
  9. National Institute of Standards and Technology (NIST). (2024). SP 800-63B-4: Digital Identity Guidelines: Authentication and Authenticator Management. https://pages.nist.gov/800-63-4/sp800-63b.html
  10. OWASP Foundation. Password Storage Cheat Sheet. https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html