Harvest Now, Decrypt Later: Why Credentials Are the First Casualty of Q-Day

The threat model is uncomfortable but simple. Adversaries — including state-aligned collectors with the patience and storage budget to play a long game — are capturing encrypted traffic today on the assumption that a sufficiently capable quantum computer will eventually break the public-key cryptography protecting it.

No machine in operation today can break RSA or elliptic curve cryptography. That is not the question. The question is what an attacker who hoarded TLS sessions in 2024 can read in 2032 or 2035.

Credentials are the natural first target.

Unlike a leaked memo or an old purchase order, credentials retain operational value long after capture. A static API key, a service account password, a long-lived OAuth refresh token, a SAML signing key — these often outlive the cryptographic envelope that originally protected them in transit. Rotate them rarely, and you have effectively pre-positioned a future intrusion against yourself.

The "harvest now, decrypt later" pattern (sometimes abbreviated HNDL or store-now-decrypt-later) has been called out by NSA, CISA and NIST for several years now. NIST finalized the first batch of post-quantum standards in August 2024: ML-KEM for key encapsulation, ML-DSA for digital signatures, and SLH-DSA as a hash-based signature backup. CISA's joint guidance on quantum-readiness tells operators to inventory cryptography now and prioritize data with long confidentiality requirements.

Attribution of active HNDL collection is hard, and worth flagging with appropriate caveats. Public reporting on bulk-collection programs is largely circumstantial. With medium confidence, several SIGINT-capable services have both the capability and the intent to retain encrypted sessions of intelligence value. Capability is not the same as a confirmed program, and the analyst community should keep that distinction clean.

What to actually do, in order of leverage:

• Inventory where credentials traverse the wire and where they sit at rest. Long-lived secrets in CI/CD, machine identities, and root certs deserve top billing.
• Shorten credential lifetimes aggressively. A token that expires in an hour is uninteresting to a 2035 decryptor.
• Track your vendors' PQC roadmaps. Apple's PQ3 for iMessage, Cloudflare's hybrid post-quantum TLS, and Chrome's X25519MLKEM768 rollout are useful reference points.
• Plan for crypto-agility. The migration will not be one-and-done, and hybrid schemes are the near-term reality.

The quantum timeline is genuinely uncertain. The collection timeline is not. Anything you send in cleartext-equivalent today should be treated as eventually readable, and credentials are where that math hurts first.