Skip to content
Bitcoin · First Principles

Seed Phrases (BIP39)

Asking a human to write down a 256-bit number in hexadecimal is asking for a transcription disaster. BIP39 seed phrases solve this by turning that raw randomness into an ordered list of ordinary words — army, voyage, umbrella… — that people can actually copy, check, and even memorize. The words are not a password for your wallet; they are your wallet’s master secret in human-readable form. This page traces the pipeline from coin-flip entropy to the seed that feeds the HD tree.

The pipeline at a glance

Section titled “The pipeline at a glance”
   ENTROPY (random bits)
        │  append checksum (from SHA-256 of the entropy)
        
   bits split into 11-bit groups
        │  each group → one word from a 2048-word list
        
   MNEMONIC (12 / 15 / 18 / 21 / 24 words)
        │  + optional passphrase, run through PBKDF2 (2048 rounds, HMAC-SHA512)
        
   512-bit SEED  ──►  feeds BIP32 to derive the whole key tree

Notice the mnemonic is an intermediate, human-friendly representation of the entropy — and the seed (what actually drives HD derivation) is computed from the mnemonic plus an optional passphrase. Two separate stages, and the distinction matters below.

Entropy → words → checksum

Section titled “Entropy → words → checksum”

Start with entropy: pure random bits, the same scarce resource everything else depends on. BIP39 uses 128 bits (→ 12 words) up to 256 bits (→ 24 words).

The clever bit is the checksum. BIP39 hashes the entropy with SHA-256 and appends the first few bits of that hash to the entropy before chopping it into words:

128-bit entropy  +  4-bit checksum  =  132 bits  ÷ 11  =  12 words
256-bit entropy  +  8-bit checksum  =  264 bits  ÷ 11  =  24 words

Each 11-bit chunk indexes into a fixed list of exactly 2048 words (2¹¹ = 2048). Because the checksum is woven in, a phrase with a typo or a word in the wrong slot is detectably invalid — software can tell you “this isn’t a valid BIP39 phrase” rather than silently deriving a wrong, empty wallet. The wordlist is also designed so the first four letters uniquely identify each word, which helps with imperfect handwriting and limited-keyboard hardware devices.

Why 12 or 24 words?

Section titled “Why 12 or 24 words?”

It comes down to entropy, the size of the haystack from keys and signatures:

WordsEntropySecurity
12128 bitsinfeasible to brute-force
24256 bitsinfeasible to brute-force, with margin

128 bits is already beyond any conceivable brute-force attack — there is no practical difference in “can someone guess it” between 12 and 24. People choose 24 words for a larger safety margin and to match the 256-bit strength of the keys themselves, not because 12 is breakable. Either is safe; what’s never safe is a phrase you invented yourself instead of one generated from real entropy.

The passphrase: the “25th word”

Section titled “The passphrase: the “25th word””

BIP39 lets you add an optional passphrase — a string of your choosing that is mixed into the seed derivation. It’s nicknamed the “25th word,” though it can be any text.

The key insight: the passphrase isn’t checked against anything. Every passphrase produces a different valid seed, and therefore a completely different, fully functional wallet:

   same 24 words + (no passphrase)   →  Wallet A
   same 24 words + "correct horse"   →  Wallet B   (totally separate funds)
   same 24 words + "hunter2"         →  Wallet C   (totally separate funds)

This gives two powerful properties:

  • Extra factor: an attacker who steals your written words still can’t spend without the passphrase, which lives only in your head. The words become “something you have,” the passphrase “something you know.”
  • Plausible deniability: you can keep a small decoy balance on the no-passphrase wallet and your real funds behind a passphrase. Under coercion, you reveal the words; the visible wallet looks like everything you own. The hidden wallet is indistinguishable from “there is no hidden wallet.”

The backup is the words, not the device

Section titled “The backup is the words, not the device”

This is the single most important takeaway. Your hardware wallet, phone, or laptop is disposable. It can be dropped in a lake, stolen, or bricked by a firmware bug, and you lose nothing — you buy a new device, type the words, and your full key tree regenerates deterministically. What you can never replace is the mnemonic itself. The device is a convenient signing tool; the words are the actual wealth.

So: write the words on something durable (paper at minimum, stamped metal for fire/water resistance), store copies in separate physical locations, and never let the only copy live on anything connected to the internet — or that can burn, flood, or be found in one search.

The thread

Section titled “The thread”

How does this help untrusting strangers agree on one ledger? The ledger only recognizes signatures, and signatures come from keys, and all your keys descend from this one seed. The seed phrase is how a single human safely holds the root of that authority without any institution custodying it for them. It turns “be your own bank” from a slogan into something a person can physically accomplish with a piece of metal and a memorized passphrase — sovereign participation in a global ledger, with no counterparty to trust and no registrar to lose your account.

Check your understanding

Section titled “Check your understanding”
  1. Walk the pipeline from raw entropy to the final seed. Where does the mnemonic sit, and where does the passphrase enter?
  2. What does the BIP39 checksum let software detect, and why are there exactly 2048 words?
  3. Is a 12-word phrase meaningfully less secure than 24 for resisting brute force? Explain in terms of entropy.
  4. How does the passphrase enable both an extra security factor and plausible deniability — and why is there no recovery for it?
  5. Why is “the backup is the words, not the device” the central rule, and what’s the one place you must never enter your seed?