CybersecurityVulnerability Management

Credentials Face Quantum Threat Decades Ahead

Analyst 207||Source: TheHackerNews
Government officials surrounded by traditional and modern cryptography tools, including a combination lock and computer…

NSA deadline: quantum-resistant support must begin January 1, 2027

Federal timelines have turned an abstract research problem into a calendar item. The NSA’s Commercial National Security Algorithm Suite 2.0 requires new national security systems to start supporting quantum-resistant algorithms on January 1, 2027, with staggered deadlines through the early 2030s and an objective to make all national security systems quantum-resistant by 2035. In parallel, NIST’s draft IR 8547 deprecates RSA-2048 and ECC P‑256 after 2030 and disallows them entirely after 2035. Those dates are the hard points organizations must now plan around.

The 15-year horizon and the Harvest Now, Decrypt Later threat

The timing is driven less by panic than by probability. The Global Risk Institute’s 2025 Quantum Threat Timeline found that surveyed security specialists put a cryptographically relevant quantum computer within about 15 years, with 51–70% of respondents indicating it was likely. The technical root of the risk goes back to Peter Shor’s 1994 result: a powerful quantum computer could efficiently factor large numbers and compute discrete logarithms, thereby undermining public-key algorithms used to establish trust and agree on keys.

That vulnerability creates a practical tactic: Harvest Now, Decrypt Later. An attacker who captures ciphertext today—credentials, session material, or vaults—can store it and wait until quantum hardware and algorithms allow decryption. The consequence is immediate: any intercepted data with long confidentiality lifetimes should be treated as if already exposed.

Credentials: where confidentiality lifetime and blast radius meet

Not all secrets are equal. The article identifies credentials as the highest-payoff target for future decryption because they often persist for years, or for the lifetime of their services, while many other secrets (session tokens, short-lived keys) expire in months. That persistence makes credentials attractive to harvest-and-wait attacks.

Scale compounds the risk. Organizations increasingly rely on Non‑Human Identities (NHIs)—service accounts, API keys and other machine credentials—that tend to be long‑lived, under-inventoried, and unmanaged. These characteristics make NHIs ideal candidates for capture today and decryption in the future, multiplying the potential blast radius of a Q‑day event.

How to start a credentials‑first quantum migration

  • Inventory existing cryptography. Begin where secrets are stored or brokered: password managers, secrets managers, and Privileged Access Management (PAM) systems. Expect to find forgotten service accounts, hardcoded secrets, and dormant integrations.
  • Prioritize risk over size. Protect short systems that broker long-lived secrets before large but short-lived datasets. A small credential that grants access to critical systems can be more urgent than a huge dataset whose confidentiality lifetime is brief.
  • Migrate to hybrid cryptography. Combine a classical algorithm with a quantum-resistant one in the same key exchange so connections are protected against both current and future attackers. Hybrid approaches reduce the gamble of placing full trust in a single new primitive.
  • Build for crypto‑agility. Expect future deprecations and parameter changes: keep cryptography centralized and configurable so algorithm swaps become configuration changes, not massive code rewrites. For credentials, centralizing crypto simplifies future migrations.

What this means for technologists, procurement leaders, and end users

  • Technologists and security teams: Start discovery and rotation projects now. The source warns that enterprise transitions can take 5–15 years and that the discovery phase alone can be 1–2 years in large organizations—so moving quickly on inventories and crypto‑agility pays dividends.
  • Procurement and IT leaders: Deadlines from NSA and recommendations in NIST draft IR 8547 imply procurement specifications should demand quantum-resistant or hybrid-capable solutions; the article notes vendors already moving—Keeper rolled out Kyber Hybrid KEM across client applications in November 2025 as an example.
  • End users and administrators: Treat long-lived credentials and machine identities as priority assets to rotate and centralize. The practical advice is to secure where confidentiality lifetime and accessibility intersect, not merely where data volumes are largest.

The arithmetic is simple and uncomfortable: with credible timelines, long-lived credentials harvested today are effectively at risk tomorrow. Organizations do not need a functioning quantum computer to act now—only the certainty that one could arrive within a plausible planning horizon. Starting with credentials, adopting hybrid protections, and building agility into cryptographic infrastructure are concrete steps organizations can take before Q‑day forces them into costly emergency migrations.

https://thehackernews.com/2026/06/why-post-quantum-cryptography-starts.html

Emerging ThreatsNational SecurityNistPost-Quantum CryptographyQuantum ComputingSupply ChainZero TrustGovernment RegulationsNSACryptography StandardsQuantum Resistant Algorithms
Related Intelligence

Continue Reading

Rows of computer servers in a data center with subtle, glowing lines on some units.

Microsoft Extends Windows Server 2022 Hotpatching Through 2027

Microsoft just announced that hotpatching for Windows Server 2022 will continue through 2027, exceeding the operating system's mainstream support deadline, and giving customers more time to benefit from seamless, in-memory code patching. This extension applies specifically to Windows Server 2022 Datacenter: Azure Edition.

Analyst 207
Technicians work in a dimly lit server room with rows of rack-mounted equipment and cables on the floor.

libssh2 Flaw Exposes Clients to Code Execution Risk

A critical flaw in libssh2, known as CVE-2026-55200, can be exploited by a malicious SSH server to trigger memory corruption on a connecting client, with no credentials or user interaction required. This vulnerability can be easily triggered with a public proof-of-concept now available.

Analyst 207
Diverse group of people collaborate around a large table with laptops and notes.

AI Exposes Thousands of Open-Source Vulnerabilities

This summer is shaping up to be a wild ride, with thousands of open-source vulnerabilities exposed and a new coalition, Athena, stepping in to save the day with AI-powered solutions. Led by Chainguard, Athena brings together over two dozen major companies to tackle the problem head-on.

Analyst 207
Diverse group of people engaged in respectful conversation around a table with laptops and notebooks.

Cybersecurity Forum Opens Weekend Discussion Thread

Join the weekend Bunker Talk thread, where the community comes together for a refreshing, no-holds-barred discussion that's free from the usual toxicity - with one key rule: respectful, fact-based conversation, even when politics get involved. Share your thoughts, hash out differences, and engage with the best commenting crew on the net in a space that values civility and substance.

Analyst 207