Organizations Urged To Prioritize Credentials In Transition To Post Quantum Cryptography

Organizations Urged To Prioritize Credentials In Transition To Post Quantum Cryptography

Security experts are urging organizations to begin preparing for the transition to post quantum cryptography by placing credentials at the center of their migration strategies. According to guidance published by The Hacker News, the growing capabilities of quantum computing pose a future risk to today’s public key cryptography, even though current quantum hardware cannot yet break encryption algorithms such as RSA or elliptic curve cryptography. Experts warn that encrypted information intercepted today can be collected and stored by attackers before being decrypted once sufficiently powerful quantum computers become available. This approach, commonly referred to as Harvest Now Decrypt Later, means that organizations should already consider long term confidential data to be at risk. While symmetric encryption methods such as AES 256 and modern hashing algorithms are not currently considered vulnerable to Shor’s algorithm, the public key cryptography used to establish trust and exchange encryption keys remains susceptible to future quantum attacks. As a result, organizations are being encouraged to begin planning their migration well before quantum computers become capable of breaking existing cryptographic standards.

Research cited in the Global Risk Institute’s 2025 Quantum Threat Timeline report indicates that a majority of surveyed security professionals believe cryptographically relevant quantum computers are likely to become available within the next 15 years. The report follows decades of research that began in 1994 when mathematician Peter Shor demonstrated that sufficiently powerful quantum computers could efficiently solve mathematical problems that underpin widely used public key cryptography. Although the exact arrival of such systems remains uncertain, government agencies have already established migration timelines to prepare for the transition. NSA Commercial National Security Algorithm Suite 2.0 requires new national security systems to begin supporting quantum resistant algorithms from January 1, 2027, with broader implementation expected throughout the early 2030s and complete migration targeted by 2035. Similarly, NIST has proposed guidance through draft IR 8547 that deprecates RSA 2048 and ECC P 256 after 2030 and prohibits their use entirely after 2035. Security specialists note that enterprise wide migration projects can require between five and fifteen years to complete because organizations must first identify and assess cryptographic dependencies before replacing them across complex technology environments.

Experts emphasize that credentials represent one of the most significant risks in a post quantum environment because they generally remain valid for much longer than other sensitive information. Unlike temporary session tokens that expire within weeks or months, credentials associated with systems, applications, and machine identities often remain active for years. The rapid growth of Non Human Identities, including service accounts, application credentials, and API keys, has further increased this exposure because many of these credentials are not regularly rotated or comprehensively inventoried. Security guidance recommends that organizations begin by identifying systems responsible for storing or managing secrets, including password managers, secrets management platforms, and Privileged Access Management solutions. This process can reveal forgotten service accounts, embedded credentials, inactive integrations, and hardcoded secrets that may otherwise remain vulnerable. Rather than prioritizing systems based solely on size, experts recommend evaluating credentials according to confidentiality lifespan, exposure level, and the potential operational impact if they are compromised. Long lived credentials that provide access to critical infrastructure are considered higher priority than large volumes of short lived encrypted information because they present greater long term risk under Harvest Now Decrypt Later scenarios.

The advisory also recommends adopting hybrid cryptography as an intermediate step during the migration process. Instead of immediately replacing traditional cryptographic algorithms, hybrid approaches combine classical encryption with quantum resistant algorithms during key exchange, allowing organizations to maintain compatibility while improving resilience against future quantum attacks. Experts also encourage enterprises to build crypto agility into their infrastructure so future cryptographic updates can be managed through centralized configuration changes rather than extensive software redevelopment. Centralizing cryptographic controls for credentials reduces the complexity of future migrations and simplifies algorithm replacement across applications, development pipelines, and integrated systems. The guidance notes that the deployment of quantum resistant cryptography has already begun in some commercial platforms. In November 2025, Keeper started rolling out Kyber Hybrid Key Encapsulation Mechanisms across its client applications to strengthen protection against Harvest Now Decrypt Later attacks and other quantum related threats. Security professionals maintain that organizations should begin securing credentials now because the transition to post quantum cryptography will require sustained planning, extensive inventory work, and long term investment before quantum computing reaches a level capable of compromising current public key encryption.

Source

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem. 

Post Comment