How quickly could a quantum computer crack your password?
A sufficiently powerful, fault-tolerant quantum computer could significantly accelerate password cracking, reducing the time from potentially millions of years for a classical computer to mere minutes, hours, or days, depending on the password’s complexity and the quantum computer’s power. However, practical quantum computers capable of this at scale do not exist yet.
HOW IT WORKS (Theoretically)
Quantum computers employ two key algorithms that pose a threat to current security:
Grover’s Algorithm: This algorithm can speed up brute-force attacks on password hashes (which are stolen offline) by providing a quadratic speedup. It reduces the time needed from N possibilities to approximately the square root of N possibilities. For example, an 8-character complex password that might take a classical GPU minutes to hours could theoretically be cracked by a capable quantum computer in seconds to minutes.
Shor’s Algorithm: This algorithm can factor large numbers exponentially faster than classical computers, which directly threatens public-key encryption schemes like RSA and ECC (used to establish secure connections). A quantum computer with enough stable qubits could potentially break a 2048-bit RSA key in hours or days, a task that would take classical computers billions of years. While Shor’s algorithm primarily targets the underlying infrastructure’s encryption, breaking this could compromise the system that transmits your password.
CURRENT REALITY
Current Limitations: Quantum computers today are still in early stages, with limited qubits and high error rates. They are not yet powerful enough for practical, real-world password cracking or breaking major encryption standards.
Online Protection: Online accounts are also protected by defences like rate limiting (limiting the number of login attempts) and CAPTCHAs, which effectively block even the fastest computers from making a high volume of guesses in real-time.
“HARVEST NOW, DECRYPT LATER”: A current concern is the “harvest now, decrypt later” threat, where sensitive data encrypted today is collected by malicious actors to be stored and decrypted once powerful quantum computers become available in the future.
WHAT YOU CAN DO
The security community is actively developing post-quantum cryptography (PQC) standards to counter this future threat. In the meantime, the best defense is to use very long, complex passwords (14 characters or more) and enable multi-factor authentication (MFA), which makes a brute-force attack much more difficult. Using hardware security keys and password managers is also recommended.
