What Is BIP39?
BIP39 stands for Bitcoin Improvement Proposal 39. Proposed in 2013, it defines the standard for generating mnemonic phrases (human-readable sequences of words that encode a cryptographic seed) and how those phrases are converted into the master seed used to derive all keys in a hierarchical deterministic (HD) wallet.
Today, BIP39 is not just a Bitcoin standard. It is the universal seed phrase standard across virtually all crypto ecosystems: Ethereum, Solana, Cosmos, Cardano, and hundreds of other networks all use BIP39-compatible wallet implementations. When you create any modern crypto wallet, you are almost certainly getting a BIP39 mnemonic.
How Entropy Becomes Words
The process starts with entropy, meaning raw randomness. Your wallet software (or hardware wallet) generates a cryptographically secure random number of 128, 160, 192, 224, or 256 bits. The most common sizes are 128 bits (for 12-word phrases) and 256 bits (for 24-word phrases).
Step 1: Generate entropy
A 128-bit entropy value is generated using a cryptographically secure random number generator (CSPRNG). This is not pseudo-random; it draws from sources of genuine hardware randomness to ensure the output cannot be predicted or reproduced.
Step 2: Compute checksum
A checksum is computed by taking the first few bits of the SHA-256 hash of the entropy. For 128-bit entropy, this is 4 bits. The checksum is appended to the entropy, producing a 132-bit string.
Step 3: Split into 11-bit groups
The 132-bit string is split into 12 groups of 11 bits each. Each 11-bit value is a number between 0 and 2,047, the index into the BIP39 wordlist.
Step 4: Map to words
The BIP39 wordlist contains exactly 2,048 carefully selected English words. Each word is unambiguous, distinct, and chosen to minimize confusion between similar-sounding words. Your 12 numbers map to 12 words. This is your seed phrase.
The 24-word phrase follows the same process but starts with 256 bits of entropy, producing a 264-bit string split into 24 groups of 11 bits, giving you 256 bits of security rather than 128.
From Phrase to Seed to Keys
The seed phrase itself is not directly used as a private key. It is an input to a key derivation function, specifically PBKDF2 with HMAC-SHA512, running 2,048 iterations. The output is a 512-bit master seed.
This master seed is then used by the BIP32 hierarchical deterministic wallet algorithm to derive an essentially unlimited tree of key pairs, one for each address, organized by coin type, account, and address index. Every address in your wallet, across every supported blockchain, derives from this single 512-bit master seed, which derives from your seed phrase.
Your 12 or 24 words are not just a backup. They are the mathematical origin of every key your wallet will ever generate, across every blockchain it supports.
12-Word vs 24-Word Phrases
A 12-word phrase provides 128 bits of entropy. A 24-word phrase provides 256 bits. Both are considered cryptographically secure against brute-force attacks, and the number of possible 12-word phrases is approximately 2^128, which is many trillions of times larger than what any attack can exhaustively search.
The practical difference is security margin. 128 bits is considered secure for the foreseeable future. 256 bits provides an additional margin against theoretical future developments, including potential advances in quantum computing. Ledger hardware wallets use 24-word phrases. Trezor supports both 12 and 24.
The Optional Passphrase (BIP39 Extension)
BIP39 allows an optional passphrase (sometimes called the "25th word") that is concatenated with the seed phrase before key derivation. This passphrase can be any string and is not part of the BIP39 wordlist. It acts as a second factor: even if someone obtains your seed phrase, they cannot derive your actual keys without also knowing the passphrase.
The passphrase approach has a critical tradeoff: each unique passphrase produces an entirely different wallet. A blank passphrase (the default) produces one wallet; "correcthorsebattery" produces another; "CorrectHorseBattery" produces yet another. Forgetting your passphrase means losing access to the wallet derived with it, even with the correct seed phrase.
Using a passphrase adds meaningful security but requires careful backup of the passphrase separately from the seed phrase. This is an advanced feature best suited to users who fully understand the implications.
Why You Cannot Regenerate a Lost Seed Phrase
The entropy used to generate your seed phrase is random and not stored anywhere after the phrase is displayed. The phrase is the only human-accessible representation of that entropy. There is no server that knows it, no backup in the wallet app's cloud account, no way to reverse-engineer it from your public addresses.
This is not a bug or oversight; it is the fundamental security property of asymmetric cryptography. The mathematical functions used (SHA-256, HMAC-SHA512, elliptic curve point multiplication) are all one-way. Computing the input from the output is computationally infeasible. If the seed phrase is lost, the funds are irretrievably lost.
Why This Makes Backup So Critical
Understanding BIP39 clarifies why seed phrase backup is not optional. Your seed phrase is unique, generated from hardware randomness and never reproducible. It is complete, the origin of every key your wallet will ever use. It is final: there is no recovery path if it is lost. And it is universal, it works to restore your wallet on any compatible software or hardware, regardless of where the original was created. The backup strategy you choose (paper vs encrypted, metal plate vs digital, single copy vs distributed) determines whether you retain access to everything your wallet controls.
SeedCrypt
Encrypt your seed phrases. Offline. Forever.
AES-256-GCM · PBKDF2-SHA512 · No cloud · Windows & Android
Get SeedCrypt from €29Conclusion
BIP39 is elegant in its simplicity: random entropy, a checksum, and a wordlist, producing a human-memorable (or at least human-writeable) representation of the master secret for an entire crypto portfolio. The simplicity is deceptive; the stakes are absolute.
Every word in your seed phrase encodes 11 bits of cryptographic entropy. Every word matters. The order matters. A single wrong word or transposed pair produces an entirely different wallet, not yours. Treat your seed phrase with the reverence its mathematical role demands, and protect it with the strongest backup method available to you. Read our complete guide on how to encrypt your seed phrase to get started.