Last August, the National Institute of Standards and Technology (NIST) released its first three finalized post-quantum encryption standards, designed to withstand attacks from quantum computers. It was the latest sign of a changing security world – but what does it all mean for passwords?
It’s easy to see why there’s such excitement about quantum computing. By harnessing the properties of the quantum world, computers can make calculations that simply wouldn’t be possible with ‘normal’ systems.
This could transform computing as we know it, with huge potential benefits in everything from medicine to finance. However, the technology also poses significant dangers, potentially turbocharging cyberattacks.
Prime position
So where is the danger? As NIST has noted, conventional cryptographic algorithms depend on “the difficulty conventional computers have with factoring large numbers”.
The algorithms pick two big prime numbers and multiply them to get an even larger number. A computer must reverse the process to work out which prime numbers were multiplied together if it is to break the encryption, which could take a conventional system billions of years.
That’s where quantum comes in. A powerful quantum computer could work through all of the potential prime factors simultaneously, instead of just one at a time, meaning that “instead of billions of years, it’s possible a quantum computer could solve this puzzle in days or even hours,” explains NIST, “putting everything from state secrets to bank account information at risk”.
This is tied to ‘Shor’s Algorithm’, created by Peter Shor in 1994, which could break the mathematical problems tied to public key cryptography (PKC) because it would be able to perform prime factorization much more quickly than normal computers.
It would need a large quantum computer to work – technology that is now nearing reality.
Verizon’s Data Breach Investigation Report found stolen credentials are involved in 44.7% of breaches.
Effortlessly secure Active Directory with compliant password policies, blocking 4+ billion compromised passwords, boosting security, and slashing support hassles!
Post-quantum cryptography
That’s where post-quantum cryptography (PQC) comes in. PQC would move on from traditional public key cryptography (PKC) algorithms because it would be based on mathematical problems “believed to be intractable for both classical and quantum computers,” notes the UK National Cyber Security Centre.
The new NIST standards, for instance, came from an eight-year NIST effort featuring leading cryptography experts, all with the goal of developing algorithms that could resist quantum cyberattacks.
The first completed standards under NIST’s PQC standardization project are ML-KEM (based on the CRYSTALS-Kyber algorithm), intended as the primary standard for general encryption; ML-DSA (which uses CRYSTALS-Dilithium), aimed at protecting digital signatures; and SLH-DSA (from Sphincs+), also focused on digital signatures.
Additionally, NIST is evaluating two other sets of algorithms that could serve as backup standards, it said, with one focused on general encryption (but focused on a different type of math problem than the current general-purpose algorithm) and another on digital signatures.
It’s important to note that they would be back-ups to the three new algorithms.
Dustin Moody, a NIST mathematician who heads the PQC standardization project, underscored the sense of urgency when he encouraged system administrators “to start integrating them into their systems immediately, because full integration takes time.”
New era for passwords
So what does this mean for the passwords we use to login online? It’s important to note that passwords aren’t going anywhere soon.
For one thing, we don’t yet know when the full potential of quantum computing will be realized – while it’s vital to prepare for the worst, it’s also important not to panic.
Both businesses and organizations will continue to rely on the advantages that password security provides, notably their simplicity, flexibility (they can easily be reset) and underlying effectiveness (they’re either right or wrong).
It’s more a case of building stronger locks to protect our important data and resources, rather than removing the locks altogether. By creating longer, more complex passwords built on greater sizes of hash keys, passwords will be more secure against attacks, even against quantum computing.
You should:
- First, check if your current password security can resist quantum attacks
- Plan how to upgrade password storage
- Use encryption that works now and remains strong against quantum computers
- Importantly, keep an eye on new security standards as they develop
Above all, the best way to beat hackers – even in the quantum world – will be to avoid a false choice between different security options. Optimum security depends on multi-factor authentication, whether that’s a combination of passwords, passkeys, biometrics, or beyond.
Block compromised Active Directory passwords
No matter what, you’ll always need to stay on top of your passwords – and it’ll be even more critical under the threat of quantum computing.
Specops Password Policy prevents users from creating weak passwords, while searching for any that have been breached or compromised, integrating with your Active Directory to continuously block more than 4 billion compromised passwords.
It’s never been more important to maintain a clear picture of your password security.
Reach out to learn how Specops Password Policy could fit in with your organization.
Sponsored and written by Specops Software.
