UA
Anatomy of a Seed Phrase

[ GUIDE / SEED PHRASES ]

Anatomy of a Seed Phrase

12 min read · Guide 1 of 7

Everything you need to know about BIP39 seed phrases — from entropy generation and word selection to checksum verification and master key derivation. Choose your level below.

What is a seed phrase and why is it important?

What Is a Seed Phrase?

A seed phrase (also called a mnemonic phrase or recovery phrase) is a set of 12 to 24 English words that serves as the master backup for your entire cryptocurrency wallet. These words are selected from a standardized list of exactly 2,048 words defined by the BIP39 specification — an open standard adopted by virtually every modern wallet.

Think of a seed phrase like the master key to an entire building. From this single key, every room key (private key) and every lock (address) can be regenerated. Lose the master key, and every room becomes permanently inaccessible.

Unlike a traditional password, a seed phrase cannot be reset or recovered by a support team. There is no "forgot password" mechanism in self-custody crypto. If you lose your seed phrase and your wallet device is destroyed, your funds are gone forever — locked on the blockchain with no way to access them.

Why 12 or 24 Words?

The word count directly corresponds to the amount of randomness (entropy) used to generate the phrase. More words means more entropy and a larger space of possible combinations:

  • 12 words — 128 bits of entropy (standard security)
  • 15 words — 160 bits of entropy
  • 18 words — 192 bits of entropy
  • 24 words — 256 bits of entropy (maximum security)

For most users, 12 words provides more than sufficient security. 24 words is often recommended for high-value holdings where maximum entropy is desired.

How are seed phrase words chosen?

How Are the Words Chosen?

Your wallet does not pick words at random from a dictionary. Instead, it uses a rigorous, deterministic process rooted in cryptography:

  1. A cryptographically secure random number generator (CSPRNG) produces a sequence of random bits called entropy — for example, 128 random bits for a 12-word phrase
  2. A SHA-256 checksum is calculated from the entropy and the first few bits are appended to the end
  3. The combined bit string (entropy + checksum) is divided into 11-bit segments
  4. Each 11-bit segment represents a number between 0 and 2,047
  5. Each number maps to a specific word on the BIP39 wordlist
1
Entropy
128–256 random bits
2
SHA-256
Hash for checksum
3
Append CS
4–8 checksum bits
4
Split 11-bit
Divide into groups
5
Word Lookup
Map to BIP39 list

Because 211 = 2,048, every possible 11-bit value has a corresponding word. The mapping is entirely deterministic — the same bits always produce the same word in the same position.

The BIP39 Wordlist

The English BIP39 wordlist was carefully curated with specific rules to minimize human error:

  • Each word is uniquely identifiable by its first four characters (no two words share the same prefix)
  • Visually similar words (like "woman" and "women") were excluded
  • Common, easy-to-spell words were prioritized
  • Wordlists also exist in Spanish, Japanese, Korean, Chinese, French, Italian, Czech, and Portuguese

Why does the order of seed phrase words matter?

Why Does Order Matter?

The order of your seed words is absolutely critical. Changing the position of even a single word produces a completely different wallet with entirely different keys and addresses. Your original funds would be inaccessible.

Important Always write your words down in the exact order they appear. Number each word (1, 2, 3…) to avoid confusion when restoring your wallet. Double-check each word against what the wallet displays before proceeding.

To understand the scale of security this provides: a 12-word seed phrase has 204812 possible combinations — approximately 5.4 × 1039. For comparison, the estimated number of atoms in the observable universe is roughly 1080. Brute-forcing even a 12-word phrase is computationally infeasible with any known or foreseeable technology.

A 24-word phrase raises this to approximately 2.96 × 1079 combinations, providing a security margin that is practically absolute.

How does the BIP39 checksum detect errors in a seed phrase?

The Checksum — Built-In Error Detection

One of the most elegant features of BIP39 is the checksum — a built-in error-detection mechanism that catches mistakes when you enter your seed phrase.

The last word of your seed phrase is partially determined by the checksum. This means that not all combinations of 12 or 24 BIP39 words form a valid seed phrase. If you accidentally misspell a word, swap two words, or transcribe a word incorrectly, the checksum will almost certainly fail — and the wallet will alert you to the error instead of generating a wrong wallet.

The checksum is like a check digit on a credit card number. It does not make the system more secure against attackers, but it protects you from your own transcription mistakes.

Note For a 12-word phrase, the checksum is 4 bits long. For a 24-word phrase, it is 8 bits. This means roughly 1 in 16 random 12-word combinations would pass the checksum by chance — but a single-character typo in a real phrase will almost always be caught.

How should you store a seed phrase safely?

Storing Your Seed Phrase Safely

Your seed phrase is the single most valuable piece of information in your crypto setup. How you store it determines whether your funds are safe for decades or vulnerable to a single mistake.

Recommended Practices

  • Write it on paper or stamp it onto a metal plate — metal resists fire, water, and corrosion
  • Store in a secure, private location (fireproof safe, safety deposit box)
  • Consider creating multiple copies in geographically separate locations for disaster resilience
  • Never store digitally — no photos, no cloud storage, no text files, no password managers
Critical Anyone who sees your seed phrase can steal all your funds instantly. Treat it like the deed to your house — except there is no insurance and no legal recourse if it is stolen.

What to Avoid

  • Taking a screenshot or photo of the seed phrase
  • Typing it into any website, app, or form (except during legitimate wallet recovery)
  • Sending it via email, messaging apps, or any digital channel
  • Storing it alongside your hardware wallet (defeats the purpose of separate backup)

What are the most common seed phrase security mistakes?

Seed Phrase Security Checklist

Your seed phrase is not a password, not a login, and not an account number. It is the cryptographic root of all your funds — a single piece of data from which every private key, every address, and every transaction authorization is derived. If someone obtains your seed phrase, they have complete and irreversible control over every asset it protects. There is no recovery, no dispute process, no customer support. Understanding this is the foundation of every security decision below.

Why You Must Never Store Only Part of a Seed Phrase

A common misconception is that hiding or omitting a few words from your written backup makes it secure — that an attacker who finds 10 of your 12 words would be unable to guess the rest. This is dangerously wrong.

Each word in a BIP39 seed phrase is drawn from a list of 2,048 words. If an attacker knows the positions of the missing words, the number of possible combinations to try is:

Missing wordsCombinationsTime to crack
1 word2,048Instant
2 words4,194,304Seconds
3 words8,589,934,592Minutes to hours
4 words17,592,186,044,416Days to weeks
5 words~3.6 × 1016Months (dedicated hardware)
6 words~7.4 × 1019Years (nation-state level)

With just 1–2 words missing, an attacker can recover the full phrase in seconds using freely available open-source tools. Even 3–4 missing words are within reach of a moderately resourced adversary. The checksum built into BIP39 further narrows the search space by eliminating invalid combinations automatically.

Critical Storing 10 of 12 words is not "90% safe." It reduces security from 128 bits to roughly 22 bits — a reduction by a factor of 1032. An attacker does not need to guess your full phrase; they only need the missing piece.

Why the "Skip a Word" or "Add an Extra Word" Scheme Does Not Work

Some users attempt to "improve" their backup by deliberately omitting one word, rearranging word order, or inserting a fake extra word. These schemes provide a false sense of security:

  • Omitting one word — leaves only 2,048 possibilities, crackable in under a second
  • Swapping two words — an attacker simply tries all n × (n-1) / 2 pair permutations (66 for 12 words)
  • Adding a fake word — the attacker tries removing each word one at a time (12–24 attempts) and checking if the remainder forms a valid seed
  • Custom word reordering — if the attacker knows all the words but not the order, they face 12! permutations (~479 million), which is brute-forceable in hours

None of these approaches come close to the security margin that a properly stored, complete seed phrase provides. If you need an additional layer of protection, use a BIP39 passphrase (25th word) — it is cryptographically designed for this purpose.

Why a Seed Phrase Must Never Be Stored in a Password Manager

Password managers are excellent tools for managing account credentials. However, storing your seed phrase in one fundamentally changes your security model:

  • Your entire crypto wealth becomes protected by a single master password — if that password is phished, keylogged, or brute-forced, everything is lost
  • Password managers run on internet-connected devices, exposing the seed to malware, clipboard hijacking, and memory-scraping attacks
  • Cloud-synced password managers (1Password, Bitwarden, LastPass) store encrypted vaults on third-party servers — breaches have occurred (LastPass 2022), and future decryption is a risk
  • The seed phrase exists in a digital form that can be copied, exfiltrated, and transmitted silently — unlike a metal plate in a safe

Why a Seed Phrase Must Never Be Stored in the Cloud

Cloud storage — Google Drive, iCloud, Dropbox, OneDrive — is designed for convenience and sharing, not for protecting irreversible cryptographic secrets:

  • Even with 2FA, a compromised session token, OAuth vulnerability, or social-engineered account recovery can grant full access
  • Cloud providers can be compelled by legal process to hand over your data
  • Deleted files often persist in backups, trash, and version history — you cannot guarantee permanent deletion
  • Files may be indexed, cached, or processed by AI/ML pipelines without your knowledge
  • Your seed phrase becomes as secure as the weakest device logged into your cloud account

Why Making Many Digital Copies Is Dangerous

Every digital copy of your seed phrase is a potential leak point. Unlike a physical backup that requires physical access to steal, a digital file can be:

  • Exfiltrated silently by malware without any visible sign of compromise
  • Included in automated backups (Time Machine, Google Photos, iCloud sync) that you forgot about
  • Recovered from "deleted" storage using forensic tools
  • Intercepted during sync, upload, or transfer operations

The fundamental principle: seed phrases belong in the physical world, not the digital one. Zero digital copies is the only safe number.

Why You Must Never Enter a Seed Phrase on Any Website

No legitimate wallet, service, or support team will ever ask you to enter your seed phrase into a website. Any site that requests your seed phrase is either:

  • A phishing site designed to steal your funds instantly
  • A compromised legitimate site where an attacker has injected malicious code
  • A scam posing as wallet recovery, airdrop claim, or "verification" tool

Even if the URL looks correct, the site could be a pixel-perfect clone served via a homograph attack (using look-alike Unicode characters in the domain) or DNS poisoning. Your seed phrase should only ever be entered into a hardware wallet device or a verified, offline wallet application during legitimate recovery.

Absolute Rule If a website asks for your seed phrase — close it immediately. No exceptions, no matter how urgent or official it appears. Legitimate wallet software runs on your device, not in a browser tab.

Common Mistakes When Storing a Seed Phrase

  • Taking a photo or screenshot of the seed phrase (syncs to cloud, accessible to any app with photo permissions)
  • Saving it as a note in a phone app (Notes, Google Keep, Evernote — all are cloud-synced and searchable)
  • Emailing or messaging it to yourself "for safekeeping"
  • Storing the seed phrase alongside the hardware wallet (a single theft compromises both)
  • Writing it on a scrap of paper without a secure storage location
  • Not verifying the backup by performing a test recovery
  • Assuming someone else (a spouse, a friend) "knows where it is" without explicit documentation

Common False Beliefs About Seed Phrase Security

  • "My phone is encrypted, so a photo is safe" — encryption protects against physical access, not against malware running on the unlocked device or cloud sync
  • "I use 2FA on everything, so cloud storage is fine" — 2FA protects login, not data already stored; a single session compromise bypasses it
  • "I'll memorize it" — human memory is unreliable over years; illness, injury, or stress can make recall impossible
  • "Splitting the phrase between two locations is just as good as Shamir's" — naive splitting leaves each half with dangerously low entropy; SLIP39 is the cryptographically sound alternative
  • "A 24-word phrase is overkill; I can safely use fewer words" — the word count determines entropy; using fewer words does not "simplify" security, it weakens it

The Correct Storage Model

A properly stored seed phrase follows these principles:

  • Physical only — written on paper or stamped on metal. Zero digital copies anywhere.
  • Offline always — never entered into any internet-connected device except during legitimate wallet recovery
  • Geographically distributed — at least two physical copies in separate secure locations (fireproof safe, safety deposit box, trusted family member's secure storage)
  • Durable mediummetal plates resist fire, water, and corrosion for decades; paper degrades
  • Verified backup — test recovery on a separate device at least once to confirm the backup is correct and complete
  • Documented for inheritance — a sealed letter of instruction stored with your will, explaining the location and recovery process
Summary The correct number of digital copies of your seed phrase is zero. The correct number of physical copies is two or more, in separate secure locations, on durable media, tested and documented.

How do entropy sources and CSPRNG work in seed generation?

Entropy Sources and CSPRNG

BIP39 seed generation begins with a cryptographically secure pseudo-random number generator (CSPRNG). The quality of the entropy source is the foundation of the entire security model — if the randomness is predictable or biased, the resulting seed phrase is compromised regardless of word count.

Platform-Specific Entropy Sources

On modern systems, CSPRNGs are typically backed by operating system entropy pools:

  • /dev/urandom on Linux — draws from the kernel entropy pool seeded by hardware interrupts, disk timing, and other sources
  • CryptGenRandom / BCryptGenRandom on Windows — backed by the Windows CNG provider
  • SecRandomCopyBytes on macOS/iOS — Secure Enclave-backed on devices with the T2/M-series chip
  • crypto.getRandomValues() via the Web Crypto API in browsers — delegates to the OS CSPRNG

Entropy Length and Word Count

The entropy length directly determines the mnemonic word count. Each additional 32 bits of entropy adds exactly 3 words and 1 checksum bit:

ENT (bits)CS (bits)Total bitsWords
128413212
160516515
192619818
224723121
256826424

The formula is: CS = ENT / 32, and words = (ENT + CS) / 11.

Security Warning Never generate entropy from user-chosen patterns, brain wallets, or low-entropy sources. Predictable inputs collapse the search space from 2128 to a trivially brute-forceable range. Always use a CSPRNG.

How does the SHA-256 checksum mechanism verify a seed phrase?

SHA-256 Checksum Mechanism

After generating raw entropy, the system computes a SHA-256 hash of the entropy bytes. The first N bits of this hash (where N = entropy_bits / 32) are appended to the entropy as a checksum.

Step-by-Step Process

  1. Generate ENT bits of random entropy (e.g., 128 bits)
  2. Compute H = SHA-256(entropy_bytes)
  3. Take the first ENT/32 bits of H as the checksum
  4. Concatenate: entropy_bits || checksum_bits
  5. Split the result into 11-bit groups
  6. Map each 11-bit value to the corresponding BIP39 word

The checksum ensures that approximately 15 out of every 16 randomly chosen 12-word combinations (for 4-bit checksum) will be invalid. This error-detection capability catches accidental transcription mistakes during recovery, though it is not a security mechanism against deliberate attacks.

Validation During Recovery

When a user enters a seed phrase for recovery, the wallet reverses the process: it converts words back to 11-bit indices, separates the checksum bits, recomputes the SHA-256 hash of the entropy portion, and verifies that the extracted checksum matches. A mismatch indicates a typo, missing word, or incorrect word order.

Technical Note The checksum covers only data integrity, not authenticity. It cannot detect if the entropy source was weak or compromised. A valid checksum only means the word combination is structurally correct, not that the underlying randomness was sufficient.

How is a master key derived from a mnemonic phrase?

From Mnemonic to Master Key (BIP32/BIP44)

The mnemonic phrase is not used directly as a cryptographic key. Instead, it undergoes a key-stretching process to produce a 512-bit seed, which then feeds into hierarchical deterministic key derivation.

PBKDF2 Key Stretching

The mnemonic string (space-separated words, UTF-8 NFKD-normalized) is passed through PBKDF2-HMAC-SHA512 with 2,048 iterations. The salt is the string "mnemonic" concatenated with an optional user-supplied passphrase (the "25th word"):

PBKDF2-HMAC-SHA512
seed = PBKDF2( password: mnemonic_string, // "abandon ability able ..." salt: "mnemonic" + passphrase, // "mnemonic" or "mnemonicMySecret" iterations: 2048, dkLen: 64, // 512 bits PRF: HMAC-SHA512 )

The 2,048 iterations provide a deliberate computational cost that slows down brute-force attempts against weak passphrases, while remaining fast enough for legitimate use.

BIP32 Master Key Derivation

The 512-bit seed is fed into HMAC-SHA512 with the key "Bitcoin seed". The output is split into two 256-bit halves:

  • Left 256 bits — the master private key
  • Right 256 bits — the master chain code (used for child derivation)

Derivation Paths (BIP44/BIP84/BIP86)

The master key feeds into BIP32 hierarchical deterministic key derivation. Standardized paths determine which specific key pair is generated for each coin and account:

Derivation Paths (BIP44 / BIP84 / BIP86)
m / purpose' / coin_type' / account' / change / address_index
PathStandardAddress Type
m/44'/0'/0'/0/0BIP44Bitcoin Legacy (P2PKH)
m/44'/60'/0'/0/0BIP44Ethereum
m/49'/0'/0'/0/0BIP49Bitcoin Nested SegWit (P2SH-P2WPKH)
m/84'/0'/0'/0/0BIP84Bitcoin Native SegWit (P2WPKH)
m/86'/0'/0'/0/0BIP86Bitcoin Taproot (P2TR)

Each path segment narrows from the master key to a specific purpose, coin, account, and address index. The apostrophe (') indicates hardened derivation, which prevents child key compromise from leaking parent key information.

How was the BIP39 wordlist designed?

Wordlist Design and Multilingual Support

The BIP39 English wordlist was engineered with strict constraints to minimize ambiguity and transcription errors across different contexts (handwriting, phone dictation, poor lighting):

  • 4-character uniqueness — no two words share the same first four letters, enabling unambiguous abbreviation on constrained displays
  • Levenshtein distance — words were selected to maximize edit distance between similar entries, reducing confusion from single-character typos
  • Common vocabulary — obscure or easily misspelled words were excluded
  • ASCII-safe — no diacritics or special characters in the English list

Non-English Wordlists

BIP39 includes official wordlists for multiple languages. Each wordlist is independently curated and contains exactly 2,048 words. Importantly, wordlists are not translations of each other — a seed generated with the English list cannot be recovered using the Japanese list. The wordlist used during generation must also be used during recovery.

Compatibility Note In practice, the English wordlist is the de facto standard. Most hardware wallets and popular software wallets only support the English list. If cross-wallet compatibility is important, stick with English.

What are the known attack vectors against seed phrases?

Attack Vectors and Entropy Analysis

Understanding the threat landscape for seed phrases helps calibrate security decisions. The primary attack vectors are:

Brute-Force Attacks

A 128-bit entropy seed (12 words) provides a search space of 2128 ≈ 3.4 × 1038 possible keys. At 10 billion guesses per second (far beyond current capability for full key derivation), exhausting this space would take approximately 1021 years. This is secure against any classical computing attack.

Partial Knowledge Attacks

If an attacker knows some words of your seed phrase, the remaining search space shrinks dramatically:

  • 11 of 12 words known — 2,048 candidates (trivially brute-forceable)
  • 10 of 12 words known — ~4.2 million candidates (seconds to crack)
  • 8 of 12 words known — ~1.76 × 1013 candidates (days to weeks)
Security Warning Never split your seed phrase into parts thinking each part is independently secure. If an attacker obtains any significant portion, the remaining entropy may be brute-forceable. Use Shamir's Secret Sharing (SLIP39) instead for threshold-based backup splitting.

Side-Channel and Social Attacks

In practice, most seed phrase compromises do not involve brute-force. They come from phishing (fake wallet recovery pages), malware (clipboard hijacking, keyloggers), physical theft of backup material, and social engineering. Strong entropy is necessary but not sufficient — operational security is equally critical.

[ FREQUENTLY ASKED QUESTIONS ]

FAQ

[ READ NEXT ]

Continue Learning

The 25th Word (Passphrase)

How an optional BIP39 passphrase adds an extra security layer on top of your seed phrase.

Anatomy of a Wallet

How wallets derive keys, manage addresses, and interact with blockchain networks under the hood.

Wallet Types Comparison

Hot wallets, cold wallets, hardware devices, multi-sig setups. Compare trade-offs and find the right fit.

Test Your Knowledge

Take a quick quiz to check your understanding of this guide.

Take the Quiz