BIP-39 (Mnemonic Seed Phrases)

What Is BIP-39?

BIP-39 (Bitcoin Improvement Proposal 39) is a standard that defines how cryptocurrency wallets generate mnemonic seed phrases: ordered lists of common English words that encode the cryptographic entropy needed to derive all of a wallet's private keys. Proposed in September 2013 by Marek Palatinus, Pavol Rusnak, Aaron Voisine, and Sean Bowe, BIP-39 solved the problem of backing up raw binary data by replacing it with something a human can write down, verify, and store securely.

Before BIP-39, users had to back up individual private keys or raw hexadecimal strings. Losing even a single character meant permanent loss of funds. BIP-39 changed this by creating a pipeline: generate random bits, add a checksum, map each 11-bit segment to a word, and then stretch the resulting phrase through PBKDF2 to produce a master seed. That master seed feeds into BIP-32 hierarchical deterministic key derivation, enabling an entire wallet (with unlimited addresses) to be restored from a single phrase.

The standard became the de facto industry format. Virtually every major hardware and software wallet uses BIP-39, from Trezor and Ledger to MetaMask and Coinbase Wallet, despite the specification never reaching "Final" status and carrying a "Unanimously Discourage for implementation" designation in its BIP comments.

How It Works

BIP-39 converts randomness into words and then words into a cryptographic seed through three distinct phases: entropy generation, mnemonic encoding, and seed derivation.

Step 1: Entropy Generation

A cryptographically secure random number generator (CSPRNG) produces between 128 and 256 bits of entropy, in multiples of 32. The entropy size determines the number of words in the resulting phrase:

Hardware wallets like Trezor and Ledger typically default to 256-bit entropy (24 words), while many software wallets use 128-bit entropy (12 words). Both provide strong security: 128 bits of entropy yields approximately 2¹²⁸ possible combinations.

Step 2: Checksum and Word Mapping

After generating the raw entropy, BIP-39 appends a checksum to enable error detection:

1. Compute the SHA-256 hash of the entropy bytes
2. Take the first ENT / 32 bits of that hash (for example, 4 bits for 128-bit entropy, 8 bits for 256-bit entropy)
3. Append those checksum bits to the end of the entropy
4. Split the combined bitstring into 11-bit segments
5. Map each 11-bit value (0 to 2047) to the corresponding word in the BIP-39 wordlist

Because each word encodes exactly 11 bits and the wordlist contains exactly 2,048 words (2¹¹), the mapping is lossless. The last word partially encodes the checksum, which means wallet software can detect transcription errors (such as a misspelled or reordered word) without making any network requests.

# Simplified BIP-39 encoding flow
entropy = secure_random(128)              # 128 bits
hash = sha256(entropy)                    # 256-bit hash
checksum = hash[:4]                       # first 4 bits
combined = entropy + checksum             # 132 bits
words = [wordlist[i] for i in split_11bit(combined)]  # 12 words

Step 3: PBKDF2 Seed Derivation

The mnemonic phrase is not used directly as a key. Instead, BIP-39 stretches it through PBKDF2 to produce a 512-bit binary seed:

The optional passphrase is concatenated with the string "mnemonic" to form the salt. If no passphrase is provided, the salt is simply the literal string "mnemonic". Every different passphrase produces a completely different (but valid) 512-bit seed, which means a single set of 12 or 24 words can unlock multiple independent wallets. This property enables plausible deniability: a user under duress can reveal the mnemonic with a decoy passphrase while keeping the real wallet hidden.

The resulting 512-bit seed is then passed to BIP-32 to generate a master extended private key, from which all subsequent keys and addresses are derived along a derivation path.

The Wordlist

The BIP-39 English wordlist contains exactly 2,048 words, sorted alphabetically from "abandon" to "zoo." Words were selected with specific criteria: the first four characters of each word must uniquely identify it (so wallets can match after only four typed characters), and visually or phonetically similar words are excluded to reduce transcription errors.

While wordlists exist in ten languages (English, Japanese, Korean, Chinese Simplified, Chinese Traditional, Spanish, French, Italian, Czech, and Portuguese), the specification strongly discourages non-English wordlists. In practice, the vast majority of wallets support only English. A mnemonic generated with one language's wordlist cannot be recovered using another, making the English wordlist the only truly portable option.

Why It Matters

BIP-39 is the foundation of modern self-custody. Without a standardized, portable backup format, users would be locked into individual wallet vendors or forced to manage raw key material. The mnemonic standard means a user can generate a wallet on one device, write down 12 or 24 words, and restore on any BIP-39-compatible wallet from any manufacturer.

This portability is critical for key management in practice. Whether storing a cold storage backup in a safe deposit box or recovering after a lost signing device, BIP-39 provides the interoperable standard that makes it work. Layer 2 solutions like Spark also benefit from BIP-39 compatibility, since wallets built on the Spark SDK can derive keys from the same seed phrase ecosystem that users already know.

For a broader comparison of wallet infrastructure and how seed phrase management fits into modern wallet design, see the Bitcoin wallet SDK comparison and self-custodial vs. custodial wallets research articles.

Use Cases

Wallet Backup and Recovery

The primary use case for BIP-39 is wallet backup. A user writes down 12 or 24 words on paper (or stamps them into metal) and stores them securely. If their device is lost, stolen, or destroyed, those words restore the entire wallet: all accounts, all addresses, all transaction history. This works across wallet vendors because BIP-39 is an open standard.

Hardware Wallet Initialization

When setting up a hardware wallet (Trezor, Ledger, Coldcard), the device generates a BIP-39 mnemonic and displays it for the user to record. The device stores only the derived keys internally. If the hardware fails, the mnemonic restores the wallet on a replacement device or even a different brand of wallet entirely.

Multi-Wallet Derivation

Combined with BIP-32 and derivation paths like BIP-44, a single BIP-39 mnemonic can generate separate accounts for Bitcoin, Ethereum, Solana, and other chains. This is how wallets like MetaMask and Trust Wallet manage multi-chain support from a single seed phrase. For details on how hierarchical deterministic wallets derive keys from a master seed, see the Bitcoin address types research article.

Passphrase-Based Hidden Wallets

Because the optional passphrase produces a completely different seed, users can maintain multiple wallets from the same mnemonic. A common pattern: one wallet with no passphrase holds a small amount (the decoy), while a passphrase-protected wallet holds the main balance. An attacker who obtains only the mnemonic sees only the decoy funds.

Risks and Considerations

Lack of Versioning

BIP-39's most significant design limitation is the absence of version information in the mnemonic. The same 24 words give no indication of which derivation path or address format the wallet originally used. When restoring a wallet, software must scan multiple derivation schemes (BIP-44, BIP-49, BIP-84, BIP-86) to find existing balances. If a wallet drops support for a legacy derivation method, users may see an empty wallet and incorrectly believe their funds are lost.

This is the core criticism voiced by Bitcoin Core developer Greg Maxwell and the reason Electrum wallet rejected BIP-39 entirely. Electrum's alternative seed scheme embeds a version prefix in the seed hash, encoding the derivation method, address type, and network directly into the mnemonic's verification step.

Wordlist Dependency

BIP-39 mnemonics are tied to the specific wordlist used to generate them. Recovery requires knowing which language wordlist was used, since word indices differ between languages. In practice, this risk is minimal because nearly all wallets use the English wordlist, but it remains a theoretical fragility in the specification.

No Wallet Birthday

BIP-39 does not encode when the wallet was created. During recovery, wallet software must scan the entire blockchain history (or at least from the earliest possible BIP-39 usage in 2013) to discover all transactions. This makes recovery slower and more resource-intensive than it needs to be, particularly for light clients.

Physical Security of the Mnemonic

Because a BIP-39 phrase gives complete control over all derived keys, physical security of the written backup is paramount. Anyone who obtains the 12 or 24 words (and the passphrase, if one is used) can sweep all funds. Unlike threshold signature schemes or MPC wallets, BIP-39 concentrates the entire secret into a single artifact. Users must consider fire-resistant storage, geographic distribution of copies, and protection against theft. For approaches that distribute key material across multiple parties, see the FROST threshold signatures research article.

Electrum's Alternative

Electrum wallet implements its own seed scheme that addresses several BIP-39 shortcomings. Electrum seeds use HMAC-SHA512 to verify a version prefix in the seed hash, encoding metadata about derivation method and address type. They do not depend on a fixed wordlist: the seed phrase can be any sequence of words, with validity determined by the hash prefix rather than wordlist membership. While technically superior in some respects, Electrum seeds are not compatible with BIP-39 and cannot be imported into most other wallets.

BIP-39 in Practice

Despite its formal "discourage" status, BIP-39 dominates the wallet ecosystem. It is supported by every major hardware wallet (Trezor, Ledger, Coldcard, KeyStone), virtually all software wallets, and has been adopted beyond Bitcoin across Ethereum, Solana, and most major blockchains. The 12-word and 24-word seed phrase has become synonymous with cryptocurrency self-custody.

Complementary standards have emerged to address some limitations. SLIP-39 (Shamir Backup) allows splitting a seed into multiple shares using Shamir's Secret Sharing, so that any threshold of shares (for example, 3-of-5) can reconstruct the seed. This is supported on newer Trezor devices. The broader extended public key ecosystem built on BIP-32 depends entirely on BIP-39 as the standard entry point for seed generation.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.