If you have ever used a cryptocurrency wallet, you have almost certainly encountered the following scenario: upon creating a wallet, a list of 12 (or 24) seemingly random English words appears on the screen. The wallet instructs you to write them down, emphasizing: "do not take a screenshot," "do not store in the cloud," "if you lose these words, no one can help you recover your funds."
Behind this list of words lies a unified technical standard known as BIP-39 (Bitcoin Improvement Proposal 39). This standard was not invented by any single wallet company. Rather, it is a specification collectively adopted by the broader cryptocurrency community.
This article explains what BIP-39 is, how seed phrases are generated, how they are used, and the critical rules and pitfalls you must understand in practice.
1. Fundamentals: What Problem Does BIP-39 Solve?
In the earliest days of Bitcoin, the only way to "back up" a wallet was to save a private key file directly. A private key is a long, seemingly random string of characters. For example: 5Kb8kLf9zgWQJ1VpHvLFTqBmJgpLbR1ZkYwL5kL9zL1GZ6LmF8
This format has two significant problems:
-
It is highly unfriendly to humans – It is easy to mis-copy or mis-type. A single incorrect character will make it impossible to recover funds.
-
It is easy to lose – Most people are unlikely to diligently back up a string that appears to have no intrinsic meaning.
BIP-39 proposed an elegant solution: map a randomly generated "seed" onto a list of meaningful English words. The user then only needs to record that list of words to fully restore all private keys and addresses in the wallet. This list of words is called a mnemonic phrase or recovery phrase.
2. Core Technical Parameters: How Many Words? Where Do They Come From?
2.1 Word Count
The BIP-39 standard defines the following possible lengths:
| Word Count | Total Bits | Entropy (Random Data) Length | Checksum Length |
|---|---|---|---|
| 12 | 128 | 128 bits | 4 bits |
| 15 | 160 | 160 bits | 5 bits |
| 18 | 192 | 192 bits | 6 bits |
| 21 | 224 | 224 bits | 7 bits |
| 24 | 256 | 256 bits | 8 bits |
The most common lengths used today are 12 words (providing 128 bits of entropy) and 24 words (providing 256 bits of entropy).
-
12 words – Offers security sufficient for the vast majority of use cases. It is the standard choice for mobile wallets and lightweight wallets.
-
24 words – Provides an additional security margin and is typically found in hardware wallets or scenarios focused on long‑term cold storage.
To put it in perspective: the total number of possible 12‑word combinations is approximately 2128. This number is so vast that it remains effectively immune to brute‑force attacks with any currently foreseeable computing power.
2.2 Where Do the Words Come From? – The BIP-39 Wordlist
BIP-39 defines a fixed wordlist for each supported language. The English wordlist contains exactly 2048 words.
The selection of these 2048 words follows specific rules:
-
Each word is between 3 and 8 letters long.
-
The first four letters of each word are unique (to support unambiguous auto‑completion during input).
-
The list avoids easily confusable words such as bulid and bulit .
Common examples include:abandon, ability, able, about, above, absent, absorb, abstract, absurd, abuse…
When a software or hardware wallet generates a seed phrase, it selects words strictly from this predefined list. Any word outside this list indicates a non‑standard implementation, which should generally be treated as a warning sign.
3. How Is a Seed Phrase Generated? (Technical Overview)
While not strictly necessary for everyday users, understanding the generation process helps clarify important security properties. The high‑level steps are as follows:
-
Generate entropy (random data) – The wallet calls the operating system's secure random number generator to produce a continuous stream of random bits.
-
Add a checksum – A SHA‑256 hash is computed over the entropy. The first several bits of that hash (checksum length = total bits / 32) are taken as a checksum.
-
Concatenate the binary string – The original entropy and the checksum are joined into one long binary string.
-
Split into 11‑bit segments – Each 11‑bit segment has a value between 0 and 2047, which corresponds directly to one word in the BIP‑39 wordlist.
-
Map to words – Each 11‑bit value is used as an index to look up a word in the wordlist. Words are taken in order.
The resulting sequence of words is your seed phrase.
Role of the checksum – When you later enter your seed phrase to recover a wallet, the wallet recalculates the checksum. If it does not match, the wallet knows that either a word is incorrect or the order is wrong.
4. The Relationship Between Seed Phrase and Private Keys (Crucial)
A common misunderstanding among beginners is that the seed phrase is the private key.
In reality, the relationship is as follows:
Mnemonic Phrase + Optional Passphrase → Seed → Master Private Key → Child Private Keys → Corresponding Addresses
Where:
-
The mnemonic phrase is a human‑readable representation of the seed.
-
The seed is a 512‑bit numeric value that serves as the root of all private keys.
-
Private keys are derived from the seed using BIP‑32 (Hierarchical Deterministic Wallets) and path specifications such as BIP‑44, BIP‑49, or BIP‑84.
This means: possession of the seed phrase grants access to every private key for every address in that wallet, regardless of whether those addresses are for Bitcoin, Ethereum, or any other blockchain that supports BIP‑39.
This also explains why the same seed phrase + different derivation paths produces different addresses on different chains. Many wallets can "restore all your coins from a single seed phrase" precisely because they follow these standardised derivation paths.
5. Practical Usage: How to Use a Seed Phrase
5.1 Initial Wallet Creation
-
The wallet generates a seed phrase and displays it on the screen.
-
Record the phrase offline – write it down on paper or stamp it onto a metal plate.
-
The wallet will typically ask for a confirmation step, such as requesting two or three randomly selected words to verify that you have correctly backed them up.
5.2 Wallet Recovery (Importing a Seed Phrase)
-
Select "Recover Wallet" or "Import Wallet" from the wallet's menu.
-
Enter the 12 or 24 words in the correct order, separated by spaces.
-
Optionally, enter a passphrase (discussed below).
-
The wallet recomputes the seed and regenerates the addresses.
Important – The order of the words must exactly match the original seed phrase. An incorrect order produces an entirely different wallet.
5.3 Input Format and Tolerances
BIP-39 defines certain tolerances for input:
-
Case‑insensitive –
Abandonandabandonare treated as equivalent. -
Auto‑completion support – Entering the first four letters is sufficient to uniquely identify a word.
-
Standard separators – Spaces, commas, and line breaks are all accepted.
Nevertheless, it is strongly recommended to preserve the original format exactly as it was presented.
6. Advanced Feature: The Passphrase (The "25th Word")
BIP-39 supports an optional passphrase. This is not a word from the BIP-39 wordlist. The user may define it freely, with no length limit (though at least 12 characters is strongly recommended).
The final seed is computed as:
Seed = Mnemonic Phrase + Passphrase
6.1 Purposes of the Passphrase
-
Increased security – Even if an attacker obtains your seed phrase, they cannot generate the correct seed without the passphrase.
-
Hidden wallets (plausible deniability) – The same seed phrase with different passphrases produces entirely different wallets. You can store real assets behind
seed phrase + passphrase Aand a decoy wallet behindseed phrase + passphrase B. -
Protection against physical coercion – If someone forces you to reveal your seed phrase under threat, you can surrender the phrase without the passphrase. They will see only the decoy wallet, while your true wallet remains safe.
6.2 Risks of the Passphrase
-
No recovery mechanism – If you forget the passphrase, your assets are permanently lost. The seed phrase alone will not help.
-
No typo tolerance – An extra space or a different capitalisation produces a completely different seed.
-
Must be backed up separately – The passphrase should never be stored together with the seed phrase.
For the vast majority of ordinary users, the passphrase is not recommended. Only enable it when you fully understand the trade‑offs and accept the associated risks.
7. Common Misconceptions and Security Rules
❌ Misconception 1: Taking a screenshot of the seed phrase
Risk – Screenshots are often automatically synced to iCloud or Google Photos. If your cloud account is compromised, the seed phrase is exposed.
Correct practice – Physical media + offline storage only.
❌ Misconception 2: Storing the seed phrase in cloud storage or a notes app
Risk – Cloud services can be breached, note apps can leak data, and third‑party plugins may read file contents.
Correct practice – Physical media only (paper, metal, or a fully offline device).
❌ Misconception 3: 12 words are insecure; only 24 words are safe
Fact – 128 bits of entropy (12 words) provides security far beyond any practical attack today. 24 words are preferred by some users for psychological reassurance or institutional compliance, but 12 words are sufficient for nearly all individual use cases.
❌ Misconception 4: Seed phrases are interchangeable across all wallets
Fact – Most mainstream wallets follow BIP‑39, BIP‑44, and related standards, making them theoretically interchangeable. However, some wallets (including certain non‑standard exchange wallets) use custom derivation paths. Importing a seed phrase from one wallet into another may show a zero balance even though the phrase itself is correct. Before recovery, verify the derivation path used by the source wallet.
✅ Summary of Core Security Rules
-
The seed phrase is the ultimate credential for your assets – it is even more fundamental than a private key.
-
Never store the seed phrase in any digital or electronic form.
-
Never share your seed phrase with anyone.
-
Any person or website that asks for your seed phrase is a scammer.
-
The same seed phrase can be used to recover wallets from different software, but confirm derivation path compatibility first.
8. How to Verify That Your Seed Phrase Is Valid
If you wish to confirm whether a seed phrase is structurally valid, you may use open‑source tools in a strictly offline environment. Examples include:
-
Ian Coleman's BIP-39 tool (strongly recommended to download the offline version and run it on an air‑gapped computer – never use the online version with real funds)
-
Recovery test feature built into many hardware wallets
-
A fully offline computer running an official open‑source verification script
Never enter a real seed phrase into any website connected to the internet for the purpose of "testing."
9. Conclusion: BIP-39 Is a Remarkable Balance
BIP-39 masterfully strikes a balance between security and usability. It transforms a random string that is easy to mis‑write into a set of ordinary words that an average person can manually copy and preserve for years.
But its power comes with proportional responsibility. A single seed phrase represents complete financial control.
Understanding BIP-39 is not about mastering cryptographic formulas. It is about establishing a rational set of security habits:
-
Know what it is.
-
Know what it can do.
-
Know what you must never do with it.
Then, treat those 12 or 24 words written on paper with the seriousness they deserve. They are your only key to the world of crypto assets – and at the same time, the most vulnerable link in the chain.