Table of Contents
Quantum computing is the longest-range threat to password security and digital authentication. It is also the most misunderstood. Headlines oscillate between “quantum computers will break all encryption” and “quantum computing is decades away and irrelevant.” The truth, as usual, lies somewhere in between – and understanding the nuance is important for making informed security decisions today.
This analysis separates the real cryptographic risks from the speculative ones, provides realistic timelines based on current research, and explains what the post-quantum transition means for anyone managing passwords and credentials.
What Quantum Computing Actually Threatens
Asymmetric Encryption Is Vulnerable
The primary cryptographic threat from quantum computing is to asymmetric (public-key) encryption algorithms. RSA, Elliptic Curve Cryptography (ECC), and Diffie-Hellman key exchange – the algorithms that secure TLS connections, digital signatures, and key exchange protocols – are all vulnerable to Shor’s algorithm running on a sufficiently powerful quantum computer.
Shor’s algorithm can factor large integers and compute discrete logarithms exponentially faster than any known classical algorithm. This means that the mathematical problems these encryption schemes rely on – problems that would take classical computers millions of years to solve – could potentially be solved in hours or days by a quantum computer.
This is a genuine threat to the infrastructure of internet security, but it is important to understand what it does and does not affect.
Symmetric Encryption Is Largely Safe
AES-256, the symmetric encryption algorithm that protects your password vault, is not meaningfully threatened by quantum computing. Grover’s algorithm provides a quadratic speedup for searching unsorted databases, which effectively reduces the security of AES-256 to AES-128 against a quantum adversary. AES-128 remains well beyond practical attack even for quantum computers.
This is a critical distinction for password security. The encryption that protects your KeePass database or any AES-256-encrypted password vault is not at risk from quantum computing in any foreseeable timeline. The threat is to the transport layer – how encrypted data moves between devices – not to the encryption of the data itself.
Hash Functions Are Partially Affected
Grover’s algorithm also applies to hash functions, effectively halving their security level against quantum attacks. SHA-256 becomes equivalent to SHA-128 in a quantum world. This is a reduction, but not a catastrophic one – SHA-256 against a quantum adversary still provides a level of security that is computationally infeasible to break.
For password hashing, the key derivation functions used by modern password managers (Argon2, which is used by PanicVault and other KeePass-compatible applications) are memory-hard functions designed to resist both classical and quantum brute-force attacks. The quantum speedup against these functions is limited by their memory requirements, not just their computational complexity.
Realistic Timelines
Where Quantum Hardware Stands
As of 2026, the most advanced quantum computers operate with roughly 1,000-1,500 qubits. Breaking RSA-2048 with Shor’s algorithm would require approximately 4,000 logical qubits – but each logical qubit requires thousands of physical qubits for error correction, putting the actual hardware requirement at several million physical qubits.
Current quantum computers are noisy, error-prone, and far from the scale needed for cryptographic attacks. The trajectory is one of steady progress, but the gap between current capabilities and cryptographic threat is measured in orders of magnitude, not incremental improvements.
Expert Estimates
The security research community generally estimates that cryptographically relevant quantum computers (CRQC) – machines capable of breaking RSA-2048 – are 10 to 20 years away. Some optimists suggest 7-10 years; some skeptics suggest 25+ years or never, due to fundamental engineering challenges in scaling quantum systems while maintaining coherence.
NIST, in its post-quantum cryptography standardization effort, has operated on the assumption that migration should be complete before 2035 – implying a belief that the threat could materialize within that timeframe.
The Harvest Now, Decrypt Later Threat
The most immediate quantum risk is not about breaking encryption today but about data collection for future decryption. Nation-state adversaries may be intercepting and storing encrypted communications now, with the intention of decrypting them once quantum computers are available. This “harvest now, decrypt later” strategy means that sensitive data transmitted today could be exposed in the future.
For most individuals managing passwords, this threat is low – your password vault is not likely a target for nation-state signals intelligence. But for high-value targets, the implication is clear: data encrypted with quantum-vulnerable algorithms today may not remain confidential forever.
The Post-Quantum Transition
NIST’s Post-Quantum Standards
NIST finalized its first set of post-quantum cryptographic standards in 2024, selecting algorithms designed to resist both classical and quantum attacks:
- ML-KEM (CRYSTALS-Kyber): A key encapsulation mechanism for establishing shared secrets. Intended to replace RSA and ECC in key exchange.
- ML-DSA (CRYSTALS-Dilithium): A digital signature algorithm. Intended to replace RSA and ECC for signatures.
- SLH-DSA (SPHINCS+): A hash-based digital signature algorithm as a conservative backup.
These standards are the foundation for the post-quantum migration that will take place over the next decade across the technology industry.
Migration Timeline
The transition to post-quantum cryptography is already underway in some contexts:
- TLS: Chrome and other browsers have begun experimenting with hybrid key exchange that uses both classical and post-quantum algorithms. This provides quantum resistance while maintaining backward compatibility.
- Signal Protocol: Signal adopted post-quantum key exchange in 2024, providing quantum resistance for messaging.
- Government Systems: The US government has mandated a transition timeline for federal systems, with critical systems required to migrate first.
For consumer password managers, the migration primarily affects cloud sync mechanisms and any client-server communication. The vault encryption itself (AES-256 with Argon2 key derivation) does not need to change.
What This Means for Password Security
Your Password Vault Is Safe
If your password database is encrypted with AES-256 (as used by KeePass, PanicVault, 1Password, Bitwarden, and every reputable password manager), quantum computing does not threaten the confidentiality of your stored passwords. This is the most important takeaway for individual users.
The encryption that protects your vault is symmetric, and symmetric encryption is not meaningfully weakened by quantum computing. Even under the most aggressive quantum threat models, AES-256 provides more than adequate security.
Cloud Sync Needs Attention
If your password manager syncs across devices using a cloud service, the encryption of that sync channel may be vulnerable to harvest-now-decrypt-later attacks. This is primarily a concern for cloud-native password managers where vault data transits through the provider’s infrastructure.
Local-first password managers that sync through file services (like PanicVault syncing through iCloud Drive) have a different risk profile. The sync layer encrypts data in transit, and iCloud uses industry-standard TLS – which will be upgraded to post-quantum TLS as the industry migrates. But the vault itself is already encrypted with AES-256 before it enters the sync layer, providing defense in depth.
The Open Format Advantage
In a landscape where cryptographic standards are evolving, using an open format for your credential storage provides crucial flexibility. The KeePass KDBX format is maintained by an open community that can adopt new algorithms as they are standardized. If future versions of KDBX incorporate post-quantum key derivation or additional encryption layers, your data can be migrated to the new format without switching vendors.
Proprietary password managers can and will make the same upgrades, but you are dependent on their timeline and their implementation. With an open format, you have options.
Practical Recommendations
Do Not Panic
Quantum computing is a real but distant threat to specific cryptographic algorithms. Your password vault is not at risk. The infrastructure that transports encrypted data will be upgraded before quantum computers are capable of attacking it. The security community is well ahead of the threat curve on this one.
Do Use Strong Symmetric Encryption
Ensure your password manager uses AES-256 or ChaCha20 with a strong key derivation function (Argon2 is the current best practice). These algorithms are quantum-resistant and will protect your data for the foreseeable future.
Do Support the Post-Quantum Transition
Keep your software updated. As browsers, operating systems, and applications adopt post-quantum cryptographic algorithms, updating ensures you benefit from these protections. This is not something you need to configure – it will happen transparently through normal software updates.
Do Consider Data Longevity
If you are storing information that needs to remain confidential for 20+ years, consider the harvest-now-decrypt-later threat. For most people managing passwords, this is not a concern – passwords should be rotated long before quantum computers arrive. But for highly sensitive data, the post-quantum transition is more urgent.
Do Prioritize Portability
The most future-proof approach to credential management is one that gives you flexibility. PanicVault and other KeePass-compatible applications store your data in an open format that can evolve with the cryptographic landscape. As post-quantum standards mature and are integrated into the KDBX format, your data moves forward with the technology.
Passkeys built on FIDO2 will also need post-quantum upgrades to the underlying cryptographic protocols. The FIDO Alliance is already working on this. Users with portable, open-format credential storage will have the smoothest transition path.
The Bottom Line
Quantum computing will eventually require a major upgrade to the internet’s cryptographic infrastructure. That upgrade is already being planned and, in some cases, deployed. For individual password security, the practical impact is minimal – AES-256 vault encryption is quantum-safe, and the transport layer will be upgraded before quantum computers pose a real threat.
The users best positioned for the quantum transition are those with strong symmetric encryption, up-to-date software, and portable credential storage. If you are using a modern password manager with AES-256 encryption and keeping it updated, quantum computing is not something you need to worry about today.
