Quantum computing threat of breaking passwords?

[GitHubinatrix]

Is it possible to future proof password to KeePassXC database anticipating advancements in quantum computing?

My current password consists of 1000 signs of all kinds, including manually added by me e.g. 10 types of pause signs and block elements [pasted in with elaborate method and supplemented with some salting]; plus my Decryption Time is set to 4 seconds. But I also secure my data by creating backups of it on optical discs

And so: my current password is [I hope] extremely strong - but will it not be a matter of seconds to break it in a not so distant future? Will it not be a child's play to gain access to my passwords even if I upgrade my database with some new main password and [hypothetical] quantum encryption algorithm?

Should I perhaps increase the number of signs to 10 000 or will this be futile because it will be still a matter of as little as minutes for matured quantum computers to decrypt such database?

[droidmonkey]

You should not use any signs at all, whatever that is you are referring to. Quantum computing is not going to break AES-256 anytime in the near future.

You should stop doing things that only make your life worse. Use a 20 character password, nothing too fancy. Use 1 second decryption time.

Your password is actually irrelevant after about 32 characters since we hash it using SHA-256. Anything longer will get hashed down to 32 bytes anyway. Additionally, quantum computing attack would just try to find the final post-transformed hash value and not go through the key derivation or care what your password is at all.

[GitHubinatrix]

But what about more distant future?

If I create today an optical disc backup with good enough password - will it not be a threat to my security if someone gets such disc?

So in general / other words: will not having multiple backups scattered around potentially backfire, when quantum computing advances, as any person would have to either get rid of all of their copies or be forced to change all passwords in the current database?

[michaelk83]

If you rotate your passwords at least once in a year or two, your old backups will become obsolete before they can be hacked. Services and storage media also change over time. Not many people use CDs anymore, or even DVDs. But as droidmonkey said, using a normal strong password (nothing too crazy) will keep your backups from getting hacked for the foreseeable future, even if they are stolen, and even if they are still relevant.

But as a 2nd line of defense, don't scatter your backups irresponsibly where you can't account for them, and where unauthorized people can get to them. Online backup services update their protections over time and should notify you if there's been a breach. Banks should also notify you if their safe where you keep your stuff is broken into. Neither breach is likely.

[GitHubinatrix]

Time after time there are leaks of data and hacks of various services. This is constant. And from time to time a story breaks about some institution not informing its clients in the first place about such happening. That is why I do not keep anything of value in the cloud. But I would like to have a private NAS [in another country in my friend's house]

And although it is physically possible to change all of passwords every couple of months or even weeks- it would be such tiresome modus operandi and time eating task than no sane person should think about implementing it, unless being a masochist. I have around 200 accounts of various kinds. And some of the online services were designed by sadists and / or idiots, who tell you to set-up / write a new password without telling what signs are not allowed in it and sometimes even without telling you what is the max allowed length of it. Hence you use time and energy or trying to guess what the limitations are and on simplifying your new password

As for scattering of optical disks, it is cheaper [and a little safer] than giving to people your drives for safe keeping- but nevertheless no one should relay on keeping backups just in one physical location, right? And just like one can now still buy floppy drives so it will be possible to buy optical reading hardware for decades to come

So it seems that the only good optimal thing to do is to keep changing the main password to the database holding all the other passwords- but then again if I will have to go back for whatever reason to a backup from 5 years I will need an old password for it. Thus I will have to keep it somewhere. Where and how? Always in the newest version of my database?

[michaelk83]

No need to rotate the passwords every few months, let alone weeks. Once in a year or two is plenty. And you can limit that to just the services that you consider critical, such as your bank and main email. If someone hacks your commenter account on some obscure blog somewhere, does that really matter? Probably not. Chances are they wouldn't even bother.

Rotating the master password is less useful. WHEN computers advance enough to crack the current encryption methods, and IF someone actually gets their hands on some by-then-old database backup and IF they actually bother cracking it, they would crack it exactly the same regardless of what the master password is.

The point of rotating the individual passwords inside the database is that IF an old copy gets cracked, the passwords in there would be wrong. So this would not immediately expose those services, and they would still have to crack them individually. (Meanwhile, newer copies of the database would be saved with newer encryption methods, so it would take longer until they can be cracked. By which point, those passwords would also be out of date.)