up:: Security Basics MOC

Passwords in a Quantum World

Passwords in a quantum world stay largely safe, because password hashing rests on hash functions and symmetric building blocks that Grover’s algorithm only weakens by a square-root factor rather than breaking outright, so a strong, slow password hash keeps most of its protection against a quantum attacker. The quantum threat that panics headlines is Shor’s algorithm breaking public-key cryptography like RSA, and password storage doesn’t depend on that math at all. Modern password hashing uses deliberately slow, salted functions such as bcrypt, Argon2, PBKDF2, and scrypt, and against those Grover’s speedup is both modest and hard to realize in practice, so the honest answer to “are my passwords safe from quantum” is that a well-chosen password protected by a modern hash is fine, and the real weaknesses are the same ones that exist today.

The short version:

  1. Passwords are stored as hashes, not encrypted with public-key crypto, so Shor’s algorithm, the thing that breaks RSA, doesn’t apply to password storage.
  2. The only quantum tool that touches hashing is Grover’s algorithm, which gives a square-root speedup on brute-force search, effectively halving the bits of security rather than collapsing it.
  3. Modern password hashes, bcrypt, Argon2id, PBKDF2, and scrypt, are deliberately slow and memory-hard, which multiplies the cost of every guess and blunts a quantum brute force just as it blunts a classical one.
  4. A strong, high-entropy password behind a modern hash keeps ample margin even after Grover, so the practical answer is that most passwords survive the quantum transition.
  5. The real password risks stay classical, weak or reused passwords, phishing, and breached databases, so the quantum era doesn’t change the advice, which is length, uniqueness, and a password manager.

Think of a password hash as a combination lock that takes a full 10 seconds to test each guess, on purpose. A classical attacker with a stolen lock can only try one combination every 10 seconds, so working through billions of settings takes lifetimes. A quantum attacker with Grover’s algorithm effectively cuts the number of settings they must try to the square root of the total, which sounds dramatic until you notice the lock still takes 10 seconds per attempt and the square root of an astronomically large number is still astronomically large. The slow lock was the whole defense, and it stays slow no matter who’s turning it, which is why a good password behind a modern hash doesn’t suddenly fall open in a quantum world.

Do quantum computers break passwords?

No, not in the way the headlines suggest, because password storage doesn’t rely on the math that quantum computers break. The quantum threat that breaks cryptography is Shor’s algorithm, and it breaks public-key systems like RSA and elliptic-curve crypto by solving factoring and the discrete logarithm. Passwords aren’t protected by any of that. A password is stored as a hash, a one-way function output, and verifying a login means hashing the entered password and comparing, so there’s no public-key operation for Shor’s algorithm to attack.

The only quantum algorithm that touches hashing is Grover’s algorithm, which speeds up brute-force search. That matters, but it’s the manageable half of the quantum threat, not the catastrophic half. Grover doesn’t reverse a hash or reveal a password directly. It only makes guessing faster, and it makes guessing faster by a bounded, square-root factor. So the accurate framing is that quantum computers make brute-forcing a password somewhat faster, against a defense that was already built to make brute-forcing expensive, rather than breaking passwords the way they break public-key cryptography.

How much does Grover’s algorithm actually weaken password hashing?

Grover halves the effective security in bits, which is a real reduction but a survivable one, and against a slow password hash it’s even less useful than the raw number suggests. Grover’s algorithm finds a target in an unstructured space of N possibilities in about √N steps instead of up to N, and taking the square root of the search space is equivalent to halving the number of security bits. A search that classically needs 2^n work drops to about 2^(n/2) quantum work.

Source: NIST, “Report on Post-Quantum Cryptography,” NISTIR 8105, April 2016 (Grover’s speedup “requires larger key sizes”), NISTIR 8105.

Two things keep that from being alarming for passwords:

  1. Halving still leaves a large number. Halving the bits of a strong secret leaves an enormous search space. The problem isn’t the algorithm’s structure, which is exactly why the classical fix, more entropy in the password and a bigger hash output, restores the margin without changing the approach.
  2. Grover barely parallelizes and needs deep circuits. Grover’s speedup doesn’t split efficiently across many machines the way classical brute force does, and running it at cryptographic scale requires a very large, very deep, error-corrected quantum circuit maintained coherently for the whole search. That makes the theoretical √N far harder to realize against a slow hash than the clean math implies, so the practical weakening is smaller than the worst case.

The table sets the password case against the two other cryptographic layers, which is what makes clear why passwords sit in the safe category.

Cryptographic layerQuantum attack that appliesEffectResponse
Public-key (RSA, ECC)Shor’s algorithmBroken completelyReplace with post-quantum algorithms
Symmetric (AES-256, hashes)Grover’s algorithmEffective strength halvedUse a larger key or bigger hash
Password hashing (bcrypt, Argon2id, PBKDF2, scrypt)Grover’s algorithm, on the guess searchSearch space square-rooted, blunted further by slow per-guess costStrong password entropy; no algorithm change

Layer a deliberately slow hash on top of that and Grover’s advantage shrinks further. If each guess already costs real time and memory by design, then cutting the number of guesses to the square root still leaves an attacker paying the per-guess cost across an astronomically large residual search, which is precisely what modern password hashing was built to make unaffordable.

Why do bcrypt, Argon2, PBKDF2, and scrypt survive quantum?

They survive because they’re built from hash functions and symmetric operations, which are the quantum-resistant half of cryptography, and because their whole design goal, being slow and expensive per guess, works against a quantum attacker exactly as it works against a classical one. These are password-hashing functions, a specialized kind of key derivation function built for low-entropy inputs, and each adds cost that Grover’s speedup can’t remove.

  1. PBKDF2 iterates a hash-based function many times, so each password guess costs thousands of hash computations. NIST’s digital identity guidance calls for the iteration count to be as high as the server can bear, typically at least 10,000 iterations, precisely to make guessing expensive. Grover speeds up the search over passwords, not the cost of each iterated evaluation, so the per-guess tax stands.

Source: NIST, “Digital Identity Guidelines, Authentication and Lifecycle Management,” SP 800-63B, June 2017, NIST SP 800-63B.

  1. bcrypt uses an adjustable cost factor built on a block-cipher key schedule, so it’s slow by construction and the slowness scales up as hardware gets faster.
  2. scrypt is memory-hard, meaning each guess needs a large amount of memory, which resists the massively parallel custom hardware that makes classical cracking cheap, and memory-hardness is not something Grover’s algorithm relaxes.

Source: C. Percival and S. Josefsson, “The scrypt Password-Based Key Derivation Function,” RFC 7914, August 2016, RFC 7914.

  1. Argon2, specifically Argon2id, is a modern memory-hard function tunable in memory, time, and parallelism, which RFC 9106 names the first-recommended option and the default setting for new systems.

Source: A. Biryukov, D. Dinu, D. Khovratovich, S. Josefsson, “Argon2 Memory-Hard Function for Password Hashing and Proof-of-Work Applications,” RFC 9106, September 2021, RFC 9106.

The unifying reason all four carry forward is that Grover attacks the size of the search, while these functions attack the cost of each search step. Those are different levers, and a quantum computer only pulls the first one. A memory-hard, high-iteration hash keeps every guess expensive whether the guessing is classical or quantum, which is why the standardized password hashes don’t need to be replaced the way public-key algorithms do.

What actually threatens passwords in the quantum era?

The real threats to passwords stay stubbornly classical, and the quantum transition changes none of them, which is the most useful thing to understand about this topic. A quantum computer doesn’t help an attacker against the weaknesses that actually compromise passwords in the field.

  1. Weak and reused passwords. A short or common password is guessable with or without a quantum computer, because the search space is small enough that neither the classical nor the quantum attacker needs the fast algorithm. Reuse means one breach unlocks many accounts. This is the dominant real-world failure, and it’s entirely about entropy and hygiene.
  2. Phishing and credential theft. If an attacker tricks a user into typing a password into a fake page, the strength of the hash and the presence or absence of a quantum computer are both irrelevant, because the plaintext was handed over directly.
  3. Breached databases with weak hashing. The damage from a stolen password database depends on how it was hashed. A database stored with a fast, unsalted hash is crackable today, no quantum required, while one stored with salted Argon2id resists both classical and quantum guessing.

So the guidance for a quantum world is the same guidance that’s always been right: use long, unique, high-entropy passwords, store them in a password manager, hash them with a modern function like Argon2id, and add a second factor so a stolen password isn’t enough on its own. The quantum threat is real for public-key cryptography and largely a non-event for password storage, and the effort that would go into worrying about quantum passwords is better spent on the classical weaknesses that compromise accounts every day.

Common misconceptions

  1. “Quantum computers will crack all our passwords.” Passwords are stored as hashes, not protected by the public-key math Shor’s algorithm breaks. The only quantum tool that applies is Grover’s, which speeds up guessing by a square-root factor rather than breaking the hash.
  2. “Grover halves the security, so my passwords are half as safe.” Halving the bits of a strong secret still leaves an enormous search space, and against a deliberately slow hash the per-guess cost stays, so the practical weakening is far smaller than “half as safe” implies.
  3. “We need quantum-resistant password hashing algorithms.” The standardized password hashes are already quantum-resistant, because they’re built on hash and symmetric operations. There’s no new password-hashing family to migrate to the way there is for public-key crypto.
  4. “Longer passwords are pointless once quantum arrives.” The opposite is true. More entropy is exactly the fix for Grover’s square-root speedup, so a longer, higher-entropy password is precisely what restores the margin a quantum attacker would erode.
  5. “Password managers become useless against quantum computers.” Password managers protect their vaults with strong symmetric encryption and slow key derivation, both of which survive the quantum transition. A well-designed manager with a strong master password is as sound in a quantum world as today.

Questions people ask

Are my passwords safe from quantum computers? A strong, unique password stored with a modern hash like Argon2id is safe. Passwords aren’t protected by the public-key math Shor’s algorithm breaks, and the only quantum tool that applies, Grover’s, only speeds up guessing by a square-root factor against a defense already built to make guessing expensive.

Do I need to change my passwords because of quantum computing? Not because of quantum. The advice that was already right stays right, which is long, unique, high-entropy passwords in a password manager with a second factor. The passwords worth changing are the weak or reused ones, and that’s true regardless of quantum.

Does Grover’s algorithm break password hashing? No. Grover’s algorithm speeds up brute-force search by a square-root factor, effectively halving the security bits, which is survivable and doesn’t reverse a hash. Against slow, memory-hard hashes it’s even less effective, because those functions tax each guess in a way Grover doesn’t relieve.

Which password hash should I use in a quantum world? Argon2id is the current default recommendation for new systems, with bcrypt, scrypt, and high-iteration PBKDF2 as established alternatives. All four are built on quantum-resistant hash and symmetric operations, so the choice is about cost tuning and modernity, not quantum resistance.

Why is password hashing safe when RSA isn’t? Because they rest on different math. RSA relies on factoring, which Shor’s algorithm solves directly, so it breaks completely. Password hashes rely on one-way hash functions, where the best quantum attack is only Grover’s quadratic search, which weakens rather than breaks.

Should I worry about my password manager’s vault being decrypted by a quantum computer? A well-built manager encrypts its vault with strong symmetric cryptography and derives the key from your master password with a slow key derivation function, both quantum-resistant. The residual risk is the classic one, a weak master password, not the quantum computer.

What’s the single best thing I can do for password security, quantum or not? Use a password manager to generate long, unique passwords for every account and turn on a second factor. That defeats reuse, weak passwords, and most credential theft at once, and none of those dominant real-world threats is helped by a quantum computer anyway.

Do passkeys solve the quantum problem by getting rid of the password? They move it rather than solve it. A passkey removes the harvestable shared secret, which is a real gain, and it authenticates by signing with a classical ECDSA or EdDSA key, so the quantum exposure relocates from the password to the signature that Shor’s algorithm can forge. The full picture is in FIDO2, WebAuthn, and Passkeys.


Everything here is the map, given freely. When your team needs its authentication stack reviewed for where the genuine quantum exposure sits, which is the public-key layer, not the password hashes, and its password storage brought up to a modern standard, that’s the work I do. Request an alignment briefing.

Last verified 2026-07-14 · Maintained by Addie LaMarr, LaMarr Labs.