Skip to content

Seed Phrases (BIP39)

Asking a human to write down a 256-bit number in hexadecimal is asking for a transcription disaster. BIP39 seed phrases solve this by turning that raw randomness into an ordered list of ordinary words — army, voyage, umbrella… — that people can actually copy, check, and even memorize. The words are not a password for your wallet; they are your wallet’s master secret in human-readable form. This page traces the pipeline from coin-flip entropy to the seed that feeds the HD tree.

ENTROPY (random bits)
│ append checksum (from SHA-256 of the entropy)
bits split into 11-bit groups
│ each group → one word from a 2048-word list
MNEMONIC (12 / 15 / 18 / 21 / 24 words)
│ + optional passphrase, run through PBKDF2 (2048 rounds, HMAC-SHA512)
512-bit SEED ──► feeds BIP32 to derive the whole key tree

Notice the mnemonic is an intermediate, human-friendly representation of the entropy — and the seed (what actually drives HD derivation) is computed from the mnemonic plus an optional passphrase. Two separate stages, and the distinction matters below.

Start with entropy: pure random bits, the same scarce resource everything else depends on. BIP39 uses 128 bits (→ 12 words) up to 256 bits (→ 24 words).

The clever bit is the checksum. BIP39 hashes the entropy with SHA-256 and appends the first few bits of that hash to the entropy before chopping it into words:

128-bit entropy + 4-bit checksum = 132 bits ÷ 11 = 12 words
256-bit entropy + 8-bit checksum = 264 bits ÷ 11 = 24 words

Each 11-bit chunk indexes into a fixed list of exactly 2048 words (2¹¹ = 2048). Because the checksum is woven in, a phrase with a typo or a word in the wrong slot is detectably invalid — software can tell you “this isn’t a valid BIP39 phrase” rather than silently deriving a wrong, empty wallet. The wordlist is also designed so the first four letters uniquely identify each word, which helps with imperfect handwriting and limited-keyboard hardware devices.

It comes down to entropy, the size of the haystack from keys and signatures:

WordsEntropySecurity
12128 bitsinfeasible to brute-force
24256 bitsinfeasible to brute-force, with margin

128 bits is already beyond any conceivable brute-force attack — there is no practical difference in “can someone guess it” between 12 and 24. People choose 24 words for a larger safety margin and to match the 256-bit strength of the keys themselves, not because 12 is breakable. Either is safe; what’s never safe is a phrase you invented yourself instead of one generated from real entropy.

BIP39 lets you add an optional passphrase — a string of your choosing that is mixed into the seed derivation. It’s nicknamed the “25th word,” though it can be any text.

The key insight: the passphrase isn’t checked against anything. Every passphrase produces a different valid seed, and therefore a completely different, fully functional wallet:

same 24 words + (no passphrase) → Wallet A
same 24 words + "correct horse" → Wallet B (totally separate funds)
same 24 words + "hunter2" → Wallet C (totally separate funds)

This gives two powerful properties:

  • Extra factor: an attacker who steals your written words still can’t spend without the passphrase, which lives only in your head. The words become “something you have,” the passphrase “something you know.”
  • Plausible deniability: you can keep a small decoy balance on the no-passphrase wallet and your real funds behind a passphrase. Under coercion, you reveal the words; the visible wallet looks like everything you own. The hidden wallet is indistinguishable from “there is no hidden wallet.”

This is the single most important takeaway. Your hardware wallet, phone, or laptop is disposable. It can be dropped in a lake, stolen, or bricked by a firmware bug, and you lose nothing — you buy a new device, type the words, and your full key tree regenerates deterministically. What you can never replace is the mnemonic itself. The device is a convenient signing tool; the words are the actual wealth.

So: write the words on something durable (paper at minimum, stamped metal for fire/water resistance), store copies in separate physical locations, and never let the only copy live on anything connected to the internet — or that can burn, flood, or be found in one search.

Step back from the wordlist and ask the five questions that turn an implementer into an architect:

  • Why does it exist? Because asking a human to transcribe a 256-bit number in hex is a disaster waiting to happen — BIP39 turns raw entropy into 12–24 ordinary words people can copy, check, and even memorize, then runs them through PBKDF2 into the seed that feeds the BIP32 tree.
  • What problem does it solve? Safe human backup with error-catching: the woven-in SHA-256 checksum (4 bits for 12 words, 8 for 24) makes a typo or swapped word detectably invalid instead of silently deriving an empty wallet, and the fixed 2048-word list (2¹¹ per word) is designed so the first four letters identify each word.
  • What are the trade-offs? The words are the master secret — anyone who reads them owns the coins — so the convenience cuts both ways. The optional passphrase (“25th word”) adds a factor and plausible deniability, but nothing stores or verifies it: forget it and the funds are simply gone, with no “wrong password, try again.”
  • When is this the wrong design? Choosing 12 vs 24 words for “more security” is largely theater — 128 bits is already ~a billion times the age of the universe to brute-force; pick 24 only to match key strength, not because 12 is breakable. And a phrase you invent yourself instead of drawing from real entropy defeats the whole scheme.
  • What breaks if I remove it? Without the mnemonic layer you’re back to backing up raw keys or a fragile hex string; lose the checksum and bad transcriptions restore wrong wallets; and there is no recovery desk — type the words into a phishing “validation” page and every key is swept instantly.

How does this help untrusting strangers agree on one ledger? The ledger only recognizes signatures, and signatures come from keys, and all your keys descend from this one seed. The seed phrase is how a single human safely holds the root of that authority without any institution custodying it for them. It turns “be your own bank” from a slogan into something a person can physically accomplish with a piece of metal and a memorized passphrase — sovereign participation in a global ledger, with no counterparty to trust and no registrar to lose your account.

  1. Walk the pipeline from raw entropy to the final seed. Where does the mnemonic sit, and where does the passphrase enter?
  2. What does the BIP39 checksum let software detect, and why are there exactly 2048 words?
  3. Is a 12-word phrase meaningfully less secure than 24 for resisting brute force? Explain in terms of entropy.
  4. How does the passphrase enable both an extra security factor and plausible deniability — and why is there no recovery for it?
  5. Why is “the backup is the words, not the device” the central rule, and what’s the one place you must never enter your seed?
Show answers
  1. Raw entropy → append a checksum (from SHA-256 of the entropy) → split into 11-bit groups → each group indexes one word → the mnemonic (12–24 words) → run mnemonic plus an optional passphrase through PBKDF2 → the 512-bit seed that feeds BIP32. The mnemonic is the human-friendly intermediate; the passphrase enters at the final mnemonic-to-seed stage.
  2. The checksum lets software detect a phrase that’s invalid — a typo or a word in the wrong slot — rather than silently deriving a wrong, empty wallet. There are exactly 2048 words because each word encodes one 11-bit chunk and 2¹¹ = 2048.
  3. No. 128 bits (12 words) is already beyond any conceivable brute-force attack, so there’s no practical difference in guessability versus 256 bits (24 words). People choose 24 for a larger margin and to match the 256-bit strength of the keys themselves — not because 12 is breakable.
  4. Every passphrase produces a different valid seed and wallet, and nothing checks it. That makes it an extra factor (a thief with your words still can’t spend without the passphrase, which lives only in your head) and enables plausible deniability (a decoy no-passphrase wallet hides the real funds). And because nothing stores or verifies it, a forgotten or mistyped passphrase means the funds are simply gone — there’s no “wrong password, try again.”
  5. Because the device is disposable — drop it in a lake or brick it and you lose nothing; you buy a new one, type the words, and the whole key tree regenerates deterministically. The mnemonic is the actual wealth and can never be replaced. The one place you must never enter your seed is any website or app you didn’t initiate — a page asking for your words is always a theft attempt.