Seed Phrase

What Is a Seed Phrase?

A seed phrase (also called a recovery phrase or mnemonic phrase) is an ordered list of common English words that encodes the cryptographic seed behind a Bitcoin wallet. Instead of forcing users to back up a raw 128-bit or 256-bit binary string, BIP-39 maps that entropy to words like "abandon," "clock," or "zebra" that humans can read, write, and verify without error-prone hex transcription.

The concept was formalized in 2013 as BIP-39 (Bitcoin Improvement Proposal 39) and has since become the dominant standard for wallet backup across the Bitcoin ecosystem. When combined with BIP-32 hierarchical deterministic key derivation, a single seed phrase can reproduce an unlimited tree of private keys, public keys, and addresses. This means one backup protects every UTXO the wallet will ever control.

How It Works

BIP-39 Mnemonic Encoding

The process starts with entropy: a cryptographically secure random number. BIP-39 supports entropy lengths of 128, 160, 192, 224, or 256 bits, but the two common choices are 128 bits (12 words) and 256 bits (24 words). The encoding works as follows:

1. Generate random entropy (128 or 256 bits from a CSPRNG)
2. Compute a checksum by taking the first N bits of the SHA-256 hash of the entropy, where N equals the entropy length divided by 32
3. Append the checksum bits to the entropy, producing a combined bit string
4. Split the combined string into 11-bit groups (each group maps to one of 2,048 words)
5. Look up each 11-bit value in the BIP-39 wordlist to produce the final mnemonic

For a 12-word phrase: 128 bits of entropy + 4-bit checksum = 132 bits, divided into twelve 11-bit segments. For a 24-word phrase: 256 bits + 8-bit checksum = 264 bits, divided into twenty-four 11-bit segments.

# BIP-39 encoding structure
128-bit entropy → 4-bit checksum  → 132 bits → 12 words
256-bit entropy → 8-bit checksum  → 264 bits → 24 words

# Each word encodes 11 bits:
2^11 = 2048 possible words per position

# Example mapping (first 5 entries of BIP-39 English wordlist):
0000 0000 000 → "abandon"   (index 0)
0000 0000 001 → "ability"   (index 1)
0000 0000 010 → "able"      (index 2)
0000 0000 011 → "about"     (index 3)
0000 0000 100 → "above"     (index 4)

The checksum serves as a built-in error detection mechanism. If a user mistranscribes a single word, the checksum will almost certainly fail, alerting wallet software that the phrase is invalid before any funds are lost.

From Mnemonic to Master Seed

The word list itself is not used directly as key material. BIP-39 applies a key-stretching function to convert the mnemonic into a 512-bit seed:

seed = PBKDF2(
  password:   mnemonic_sentence,    // words joined by spaces
  salt:       "mnemonic" + passphrase,  // optional passphrase
  iterations: 2048,
  key_length: 512 bits,
  hash:       HMAC-SHA512
)

This 512-bit seed then feeds into BIP-32 to derive the master private key and master chain code. From there, the HD wallet uses derivation paths (defined by standards like BIP-44, BIP-49, BIP-84, and BIP-86) to generate child keys for different address types, accounts, and purposes.

# Common derivation paths from BIP-32/44/84/86:
m/44'/0'/0'  → Legacy (P2PKH) addresses
m/49'/0'/0'  → Nested SegWit (P2SH-P2WPKH) addresses
m/84'/0'/0'  → Native SegWit (P2WPKH) addresses
m/86'/0'/0'  → Taproot (P2TR) addresses

Because the derivation is deterministic, the same seed phrase always produces the same tree of keys. This is why a single backup of the seed phrase is sufficient to restore a wallet on any compatible software, even years later, including addresses for SegWit and Taproot outputs.

12 vs 24 Words: The Security Tradeoff

A 12-word seed phrase encodes 128 bits of entropy, which provides 2¹²⁸ possible combinations: roughly 3.4 × 10³⁸. This is far beyond brute-force feasibility with any known or foreseeable technology. A 24-word phrase doubles the entropy to 256 bits (2²⁵⁶ combinations), matching the security level of the secp256k1 elliptic curve used by Bitcoin itself.

In practice, 128 bits is more than sufficient for individual wallet security. The reason some wallets default to 24 words is defense in depth: if a partial leak occurs (an attacker learns some of the words), 256-bit entropy provides a larger margin before the remaining search space becomes feasible. The tradeoff is usability: 24 words are harder to transcribe, verify, and store without errors.

The Passphrase (25th Word)

BIP-39 includes an optional passphrase that acts as an additional input to the PBKDF2 derivation. When a passphrase is set, it is concatenated with the string "mnemonic" to form the salt. A different passphrase produces a completely different 512-bit seed and therefore a completely different set of keys and addresses: there is no way to tell whether a given mnemonic has a passphrase or not.

This property enables plausible deniability. A user can create a decoy wallet with no passphrase (or a simple passphrase) holding a small amount of funds, while their primary holdings exist under a stronger passphrase. An attacker who obtains the seed phrase alone would only see the decoy wallet.

The risk is significant: if the passphrase is lost, the wallet derived from it is permanently inaccessible. Unlike the mnemonic words, there is no checksum or wordlist constraint on the passphrase. It can be any UTF-8 string, and a single wrong character produces a valid but empty wallet with no error message.

Use Cases

Wallet Recovery

The primary use case is disaster recovery. If a phone is lost, a laptop fails, or a hardware wallet breaks, the seed phrase restores full access to every address and balance. Any BIP-39-compatible wallet software can import the phrase and reconstruct the key tree. This is what makes self-custody practical for long-term holders: a piece of paper can outlast any electronic device.

Wallet Migration

Seed phrases enable moving between wallet software without on-chain transactions. A user can switch from one wallet application to another by importing the same mnemonic, provided both wallets support the same derivation paths. This portability reduces vendor lock-in and gives users sovereignty over their keys. For a deeper look at how multisig wallets handle more complex backup scenarios, multiple seed phrases may be involved.

Inheritance Planning

Seed phrases provide a mechanism for transferring Bitcoin holdings to heirs. A sealed seed phrase stored with a lawyer, in a safe deposit box, or split across trusted parties using Shamir's Secret Sharing can ensure that funds remain accessible after the original holder is no longer available. The passphrase can serve as a second factor distributed separately.

Backup Best Practices

Because a seed phrase grants total control over all derived funds, backup security is paramount. The following strategies reduce the risk of loss or theft:

• Metal plates or washers: stamped or engraved metal resists fire, water, and degradation far better than paper. Products like Cryptosteel, Billfodl, and DIY stainless steel washer backups are popular options for long-term cold storage
• Geographic distribution: storing copies in multiple physical locations (home safe, bank vault, trusted family member) protects against single-point-of-failure events like house fires or natural disasters
• Passphrase separation: if using a BIP-39 passphrase, store it separately from the mnemonic so that compromising one location does not compromise the wallet
• Verification after creation: immediately after generating a seed phrase, restore it in the same wallet software to confirm the words were recorded correctly before sending any funds to derived addresses

Risks and Considerations

Common Mistakes

The most frequent cause of fund loss is not hacking but user error. These mistakes account for the majority of unrecoverable wallet situations:

• Digital storage: saving the seed phrase in a notes app, cloud drive, email draft, or screenshot creates a digital copy that malware, cloud breaches, or device theft can expose. Seed phrases should exist only in physical form
• Sharing the phrase: no legitimate wallet, exchange, or support agent will ever ask for a seed phrase. Phishing attacks that request the phrase remain one of the most common attack vectors in crypto
• Single-copy backup: a single paper backup stored in one location is vulnerable to fire, flooding, or accidental disposal. Redundancy across locations is essential
• Ignoring the passphrase: users who set a BIP-39 passphrase and later forget it lose access permanently. The passphrase itself must be backed up with the same rigor as the mnemonic

Physical Security Threats

A seed phrase is a bearer instrument: whoever possesses the words controls the funds. This creates physical security concerns distinct from digital threats. An attacker with physical access to the backup can sweep all funds instantly. The BIP-39 passphrase mitigates this by requiring a second piece of information, but only if the passphrase is strong and stored separately.

Quantum Computing

Seed phrases themselves are not directly vulnerable to quantum computers, but the elliptic curve keys derived from them could theoretically be broken by a sufficiently powerful quantum computer running Shor's algorithm. Research into Schnorr signatures and post-quantum cryptographic schemes is ongoing, but current consensus holds that this threat is not imminent. For now, the PBKDF2 key-stretching step and the one-way nature of the hash functions used in derivation provide adequate protection.

BIP-39 Criticisms

BIP-39 is not without detractors. Some developers argue that the PBKDF2 iteration count (2,048) is too low for modern hardware, making passphrase-protected mnemonics more susceptible to brute-force attacks than they should be. Others point out that BIP-39 wordlists are language-specific, creating potential interoperability issues. Alternative standards like BIP-85 (deterministic entropy from BIP-32 keychains) and SLIP-39 (Shamir backup) have emerged to address some of these limitations while maintaining backward compatibility.

This glossary entry is for informational purposes only and does not constitute financial or investment advice. Always do your own research before using any protocol or technology.