BIP39 Explained: Seed Phrases and How They Work

What Is BIP39?

BIP39 stands for Bitcoin Improvement Proposal 39. It is the technical standard that defines how a seed phrase, the sequence of 12 or 24 human-readable words used to back up and restore a crypto wallet, is generated and used. Introduced in 2013, BIP39 has become one of the most foundational standards in the entire crypto ecosystem. Almost every hardware wallet, software wallet, and self-custody solution in use today is built on top of the BIP39 standard, making it compatible across different wallet brands and implementations.

Before BIP39, different wallet software used proprietary backup formats. If you lost access to a specific wallet application, your funds could be permanently inaccessible even if you had technically backed up your key material. BIP39 solved this by creating a universally agreed format: a sequence of words chosen from a standardised list of 2,048 words that encodes the information needed to regenerate any private key associated with the wallet. As long as you have the words, in the correct order, you can restore your wallet in any BIP39-compatible application.

Understanding BIP39 helps you understand exactly what your seed phrase is, why it is so critically important to protect it, and what the different options and configurations mean for your security. It is the technical foundation underlying all the practical guidance in resources like the seed phrase storage guide and advanced seed phrase storage techniques.

How BIP39 Works: Entropy, Wordlists, and Checksums

A BIP39 seed phrase is generated from a random number called “entropy.” The entropy is generated by the wallet software using a cryptographically secure random number generator. The specific size of the entropy determines the length of the resulting seed phrase: 128 bits of entropy produces a 12-word phrase, while 256 bits produces a 24-word phrase.

The entropy bits are then run through a SHA-256 hash, and a portion of the resulting hash (the checksum) is appended to the entropy. This combined string of bits is divided into groups of 11 bits each. Each 11-bit group corresponds to a number between 0 and 2,047, which maps to a specific word in the BIP39 wordlist. The result is your seed phrase: a sequence of words that encodes your entropy plus a checksum.

The BIP39 wordlist contains 2,048 words, carefully selected so that no two words are easily confused. The first four letters of every word are unique within the list, meaning you can restore your wallet even if you only write down the first four letters of each word. Words were also chosen to minimise similarity in sound and appearance. The standard wordlist exists in English, but BIP39-compatible wordlists also exist in Spanish, French, Italian, Japanese, Korean, Czech, Portuguese, and Simplified and Traditional Chinese.

The checksum is important for error detection. If you make a mistake when entering your seed phrase, such as transposing two words or misspelling one, the wallet software will detect the invalid checksum and alert you before proceeding. This prevents you from inadvertently restoring to an incorrect wallet, but it also means that you cannot just make up or guess a valid seed phrase: the mathematical probability of accidentally creating a valid checksum combination is negligibly small.

12 Words vs 24 Words: What Is the Difference?

Both 12-word and 24-word seed phrases are generated from BIP39 and are used in different wallet implementations. The key difference is the amount of entropy they encode: 128 bits for 12 words versus 256 bits for 24 words.

From a practical security standpoint, 128 bits of entropy is considered more than sufficient protection against brute-force attacks with any currently conceivable computing technology. The number of possible 12-word combinations exceeds 2 to the power of 128, a number so large that exhaustive search is not a realistic attack vector even for nation-state-level computing resources. A 24-word phrase doubles the entropy, providing 2 to the power of 256 possible combinations, which is even further beyond the reach of any conceivable brute-force approach.

The practical reasons to prefer one over the other come down to wallet software compatibility and personal preference for backup complexity. Most hardware wallets default to 24 words. The Ledger wallet generates a 24-word phrase by default. Trezor offers both 12 and 24 word options. Many software wallets and mobile wallets default to 12 words. Both are secure; the difference in practical security is academic rather than meaningful.

What matters far more than the length of your seed phrase is how securely you store it. A 24-word phrase stored on a digital device, in a cloud account, or written on a piece of paper that anyone can access provides less actual security than a 12-word phrase stamped on a fireproof metal seed phrase backup stored in a physically secure location. Security of storage is the critical variable, not word count. The seed phrase storage guide and advanced techniques for seed phrase storage cover how to build robust physical backup strategies.

The Capital Nexus newsletter covers crypto security developments and practical protection strategies every week: Capital Nexus Newsletter.

The BIP39 Passphrase: The Optional 25th (or 13th) Word

One of the most powerful and underused security features in BIP39 is the optional passphrase, sometimes called the “25th word” or “13th word.” Unlike the generated seed phrase itself, the passphrase is a user-defined string of characters that you choose yourself. It can be any combination of letters, numbers, and symbols, of any length.

When a passphrase is added, it is combined with the seed phrase to generate a completely different set of private keys. The same 24-word seed phrase, used with different passphrases, produces entirely different wallets with entirely different addresses. The seed phrase without the passphrase still generates a valid wallet, which is what you would access on a standard restore without specifying a passphrase. But the wallet with the passphrase, containing your actual holdings, is only accessible to someone who knows both the seed phrase and the passphrase.

This creates a powerful security architecture. If an attacker obtains your seed phrase, they will restore a valid wallet that appears to have no significant funds. Your actual holdings are only in the passphrase-protected wallet. This “hidden wallet” approach is commonly recommended for users who want protection against scenarios where their seed phrase backup might be discovered physically.

The critical risk with passphrases is loss. Unlike your seed phrase, which has a checksum to detect errors, there is no validation mechanism for the passphrase. If you use a passphrase and forget or misspell it, you cannot recover your funds. The passphrase must be memorised reliably or backed up separately from the seed phrase. The security gain from a passphrase is real, but it comes with increased complexity and a new failure mode that must be managed carefully. The seed phrase storage guide covers best practices for passphrase management.

BIP32 and BIP44: The Standards That Build on BIP39

BIP39 is one piece of a three-standard framework that together define how modern deterministic wallets work. Understanding the other two standards helps you understand why one seed phrase can generate thousands of different addresses across different cryptocurrencies.

BIP32 defines Hierarchical Deterministic (HD) wallets. It describes how a single root seed (derived from your BIP39 seed phrase) can be used to generate a tree of private and public key pairs. This tree structure means that all addresses in your wallet are derived from the same root, and knowing the root seed (your seed phrase) allows you to recreate all of them. You do not need to back up each address individually: the seed phrase captures everything.

BIP44 builds on BIP32 by defining a specific “derivation path” structure that organises addresses by coin type, account, and whether they are for receiving or change transactions. The derivation path for Bitcoin, for example, follows the structure m/44’/0’/0’/0 (external chain) and m/44’/0’/0’/1 (internal change chain). Ethereum uses m/44’/60’/0′. This standardised path structure is why a single seed phrase can be used to access Bitcoin addresses in one wallet application, Ethereum addresses in another, and Solana addresses in a third, as long as each uses BIP39 with the correct derivation path for the relevant coin.

Understanding derivation paths is particularly important when you are restoring a wallet. If you restore a BIP39 seed phrase into a wallet application that uses a different derivation path than the original wallet, you will see different addresses and what appears to be a zero balance, even though your funds are technically accessible. If you believe this has happened, compare the derivation paths used by both wallet applications. This is a common source of confusion for users migrating from one wallet software to another. The guide to importing a wallet with a seed phrase covers this in detail.

BIP39 Compatibility: Does Your Seed Phrase Work Across Wallets?

One of the most practical benefits of BIP39 is the interoperability it provides. If you create a wallet with a Ledger hardware wallet and later decide to switch to a Trezor, you can restore your wallet using the same 24-word seed phrase. If you want to access your Phantom Wallet Solana addresses in a different wallet application, you can import your seed phrase and your addresses will be identical, provided both use the BIP44 derivation path for Solana.

There are some exceptions to full interoperability. Ethereum wallets sometimes use different derivation paths depending on whether they are designed for MetaMask-style access or for a different standard. Some wallets use a different path for legacy Bitcoin addresses versus SegWit or Taproot addresses. And some wallet providers use proprietary extensions or modifications to the BIP39 standard. Before relying on cross-wallet compatibility, verify that both the source and destination wallet use the same BIP39 implementation and derivation path structure.

This compatibility is a significant advantage for long-term crypto investors. You are not locked into any particular wallet application or hardware vendor. Your seed phrase is the fundamental access key, and as long as BIP39 remains the industry standard, you will be able to access your funds using any compatible wallet software for the foreseeable future. This is why the self-custody guide places so much emphasis on understanding and protecting your seed phrase: it is the only thing you truly need, and the only thing that truly matters.

Security Implications of BIP39

BIP39 provides an elegant solution to the wallet backup problem, but it also concentrates your entire security posture into a single string of words. Understanding the security implications of this concentration is essential for anyone using a BIP39-based wallet.

The most important implication is that anyone who obtains your seed phrase has unrestricted access to all assets in your wallet, from any device, at any time, forever. There is no password that can be changed, no two-factor authentication that can be added, no support channel that can freeze access. This is the meaning of not your keys, not your crypto: it also means that your keys are your complete and only protection.

The generation process is only as secure as the device generating the entropy. Hardware wallets generate entropy on their own secure hardware, which is isolated from the internet and from your computer’s operating system. This is the gold standard. Software wallets generated on a clean, offline device are the next best option. Wallets generated in a browser extension or on a general-purpose internet-connected device carry a small but non-zero risk of entropy leakage if the device is compromised.

Never store your BIP39 seed phrase digitally. Cloud storage, email, screenshots, password managers, and note-taking apps are all inappropriate locations for seed phrase storage. Physical storage, using either paper in a secure location or a dedicated metal backup device, is the minimum standard. For high-value holdings, advanced seed phrase storage techniques including multiple physical copies in different locations, optional use of the BIP39 passphrase, and consideration of multisignature wallet setups provide additional layers of resilience.

BIP39: The Foundation of Your Crypto Security

BIP39 is not just a technical standard. It is the architecture that makes self-custody practical and portable. The 12 or 24 words of your seed phrase encode everything needed to access your crypto holdings from any compatible device, forever. That power is exactly proportional to the responsibility it demands.

Treat your seed phrase with the same seriousness you would give to the combination of every bank account, investment portfolio, and valuable you own. Protect the physical copies. Consider the passphrase option for additional security. Understand the BIP39 standard well enough to verify that your wallet is generating and storing it correctly. And revisit the full Cryptopedia security library to build a complete, layered protection strategy: from choosing the right hardware wallet to securing your self-custody setup.