en.Wedoany.com Reported - The ability of quantum computers to break public-key cryptography poses a real threat to long-term confidential credentials. The Global Risk Institute's 2025 Quantum Threat Timeline Report indicates that 51% to 70% of surveyed security experts believe a cryptographically relevant quantum computer could emerge within 15 years. This threat stems from a principle proven by Peter Shor in 1994: a powerful quantum computer can efficiently factor large numbers and compute discrete logarithms. However, Shor's algorithm only applies to public-key cryptography such as RSA and elliptic curve cryptography, and does not pose a substantial threat to symmetric encryption like AES-256 or modern hashing. Attackers can currently employ a "Harvest Now, Decrypt Later" strategy, capturing and storing encrypted traffic today for decryption once a quantum computer becomes available. Given that a practically capable quantum computer is likely to emerge within 15 years, any data intercepted today should be considered already exposed.

Government agencies are setting deadlines for cryptographic changes around a milestone known as Q-Day. The U.S. National Security Agency's (NSA) Commercial National Security Algorithm Suite 2.0 requires new national security systems to support quantum-resistant algorithms starting January 1, 2027, with plans to achieve quantum resistance for all national security systems by 2035. Concurrently, the U.S. National Institute of Standards and Technology (NIST) is advancing draft IR 8547, which plans to deprecate RSA-2048 and ECC P-256 after 2030 and fully prohibit them after 2035. Full enterprise transformation may take 5 to 15 years, with the discovery phase alone potentially requiring 1 to 2 years in large organizations.

Not all encrypted data within an organization faces the same risk. Most secrets, such as session tokens, have a confidentiality lifecycle measured in months, while credentials may last for years or as long as their associated systems remain in service. This makes credentials an ideal target for attackers to harvest and hold now, awaiting quantum computer decryption. The scale of risk is particularly influenced by the growing number of non-human identities (NHIs) within organizations, such as service accounts and API keys, which often have long lifespans and have not been inventoried for cryptographic exposure.

Since risk is concentrated in credentials, migration should begin there. Organizations should adopt a credential-first approach, including inventorying existing cryptography, prioritizing based on risk rather than scale, migrating to hybrid cryptography, and building cryptographic agility. The inventory phase requires identifying systems that hold or proxy secrets, including password managers, secret managers, and privileged access management (PAM) platforms. Migration should employ hybrid cryptography, combining classical algorithms with quantum-resistant algorithms in the same key exchange to defend against both current and future attackers. Additionally, organizations should build with cryptographic agility in mind, making algorithm changes a configuration update rather than a re-engineering effort.

Keeper Security rolled out quantum-resistant cryptography across all its client applications in November 2025, adopting the Kyber hybrid key encapsulation mechanism (KEM) to help protect password vaults from "Harvest Now, Decrypt Later" and other quantum computing threats. Organizations should prioritize protecting credentials from the quantum future now, rather than waiting for more advanced hardware to force action.