How Fast Can a Seed Phrase Be Brute-Forced? (2026)

The most common fear among cryptocurrency holders is that someone will guess their seed phrase. Twelve words chosen from a list of 2,048 -- how hard can it be to crack? The answer, grounded in mathematics rather than speculation, is that brute-forcing a properly generated seed phrase is not merely difficult. It is physically impossible with any technology that exists or is projected to exist.

This article walks through the numbers, considers realistic attack scenarios with current and future hardware, and explains why real threats to your seed phrase have nothing to do with brute force.

The Mathematics of Entropy¶

A 12-word BIP39 seed phrase encodes 128 bits of entropy. Each word is drawn from a standardized list of 2,048 words, and each word encodes 11 bits of information (because 2^11 = 2,048). Twelve words encode 132 bits total, of which 128 are entropy and 4 are a checksum.

The total number of valid 12-word seed phrases is:

2^128 = 340,282,366,920,938,463,463,374,607,431,768,211,456

That is approximately 3.4 x 10^38, or 340 undecillion combinations.

A 24-word seed phrase encodes 256 bits of entropy, yielding:

2^256 ~ 1.16 x 10^77 combinations

To put 2^256 in perspective: the estimated number of atoms in the observable universe is roughly 10^80. A 24-word seed phrase has a keyspace within a few orders of magnitude of the atomic count of everything that exists.

These are not arbitrary numbers. They are the foundation of the security model for Bitcoin, Ethereum, and every other cryptocurrency that uses BIP39 mnemonics. For a deeper explanation of how entropy works, see What Is Entropy in Crypto?.

2^128 Combinations: What Does That Mean?¶

Large numbers are difficult to intuit. Here are several ways to understand the scale of 2^128.

Counting at computer speed¶

Suppose you have a computer that can check one trillion (10^12) seed phrases per second. That is far beyond what any single machine can achieve today, but let us be generous.

At that rate, checking all 2^128 combinations would take:

3.4 x 10^38 / 10^12 = 3.4 x 10^26 seconds

The age of the universe is approximately 4.3 x 10^17 seconds (13.8 billion years). So this single computer, running at a trillion checks per second since the Big Bang, would have completed roughly:

4.3 x 10^17 / 3.4 x 10^26 = 0.0000000013% of the search space

To brute-force a 12-word seed phrase at one trillion guesses per second, you would need about 10 billion times the current age of the universe.

Energy constraints¶

There is a fundamental physical limit to computation known as the Landauer bound: erasing one bit of information requires a minimum of kT ln(2) joules of energy, where k is Boltzmann's constant and T is temperature. At room temperature (300K), this is approximately 2.85 x 10^-21 joules per bit operation.

To cycle through 2^128 states, even a theoretically perfect computer operating at the Landauer limit would require:

2^128 x 2.85 x 10^-21 ~ 9.7 x 10^17 joules

That is roughly the annual energy output of the Sun (3.8 x 10^26 watts) for about 2.5 microseconds -- which sounds manageable until you realize this assumes every operation uses the absolute minimum energy allowed by physics. Real computers consume many orders of magnitude more energy per operation. A realistic brute-force attempt against 2^128 would require energy budgets that exceed planetary-scale resources.

For 2^256, the energy requirement exceeds what the entire observable universe could provide.

Comparison to lottery odds¶

The odds of winning a typical national lottery jackpot are about 1 in 300 million (roughly 2^28). Guessing a 12-word seed phrase on the first try is equivalent to winning that lottery 2^100 times in a row. That is not a hyperbole for effect; it is the literal mathematical comparison.

GPU and ASIC Attack Scenarios¶

Let us move from theory to practice and consider what attackers can actually deploy in 2026.

Current GPU capabilities¶

A high-end GPU (like an NVIDIA RTX 5090) can perform roughly 2-3 billion SHA-256 hashes per second. Deriving a BIP39 seed phrase requires running PBKDF2-HMAC-SHA512 with 2,048 iterations, followed by key derivation. This means each seed phrase check requires approximately 4,096 SHA-512 operations.

Effective seed phrase checks per GPU: roughly 500,000 to 1,000,000 per second.

Even with a thousand GPUs working in parallel, you reach about 10^9 checks per second. Against 2^128 possibilities:

3.4 x 10^38 / 10^9 = 3.4 x 10^29 seconds ~ 10^22 years

That is ten sextillion years, about 700 billion times the age of the universe.

ASIC mining farms¶

Bitcoin ASIC miners are the most powerful SHA-256 hardware on the planet. The entire Bitcoin network performs roughly 600 exahashes per second (6 x 10^20 hashes/second) as of early 2026. Even if this entire network were repurposed for seed phrase cracking (which it cannot be directly, due to the PBKDF2 step), the effective check rate would be dramatically reduced by the 2,048-iteration PBKDF2 requirement.

Optimistic estimate: the entire Bitcoin mining network might manage ~10^17 seed phrase checks per second if purpose-built ASICs were designed for this task.

3.4 x 10^38 / 10^17 = 3.4 x 10^21 seconds ~ 10^14 years

That is still 100 trillion years. About 7,000 times the current age of the universe.

Nation-state level attacks¶

Even if a government dedicated a budget equivalent to the entire global GDP ($100 trillion) to building seed-phrase-cracking hardware, and even if that hardware were 1,000x more efficient than current ASICs, the math does not change in any meaningful way. You might shave a few orders of magnitude off the estimate, bringing it down to perhaps 10^10 years -- still a hundred times the age of the universe.

12 Words vs 24 Words¶

Given that 128 bits (12 words) is already beyond brute force, why does BIP39 offer a 24-word (256-bit) option?

Current security: both are sufficient¶

Against classical computing attacks, 128 bits of entropy is unbreakable. No combination of existing technology can reduce the search time to anything remotely practical. For day-to-day cryptocurrency use, a 12-word seed phrase provides more than adequate security.

Quantum computing considerations¶

Grover's algorithm, a quantum computing technique, can theoretically search an unstructured space of 2^n items in 2^(n/2) steps. Applied to a 128-bit seed phrase, this would reduce the effective security to 64 bits -- roughly 1.8 x 10^19 combinations.

Is 2^64 breakable? With a large enough quantum computer, potentially yes, though not quickly. It would still require billions of quantum operations, and current quantum computers have fewer than 2,000 noisy qubits -- far from the millions of error-corrected qubits needed for Grover's algorithm at scale.

A 24-word (256-bit) seed phrase reduces to 128-bit security under Grover's algorithm, keeping it firmly in the unbreakable range even against future quantum computers. If you are planning for decades of security, 24 words provide an additional safety margin.

For a comprehensive analysis of the quantum threat to cryptocurrency, see Quantum Computing and the Crypto Threat.

Practical recommendation¶

For most users, a 12-word seed phrase generated with proper entropy is secure. If you are storing significant value for the long term (10+ years) and want to hedge against quantum computing advances, use a 24-word phrase. SafeSeed's Bitcoin Seed Phrase Generator and Ethereum Seed Phrase Generator support both 12-word and 24-word generation.

Real-World Attack Vectors (Not Brute Force)¶

If brute-forcing a seed phrase is impossible, how do people actually lose their cryptocurrency? The answer is that real attacks target the human, the environment, or the storage -- never the math.

Phishing¶

Attackers create fake wallet websites, recovery pages, or support channels that trick users into entering their seed phrase. No amount of cryptographic strength protects against voluntarily handing over your keys. See Common Crypto Scams Involving Seed Phrases for specific attack patterns to watch for.

Malware¶

Keyloggers, screen-capture tools, and clipboard hijackers can record a seed phrase as it is being entered or displayed. Generating your seed phrase on a compromised device negates all mathematical security. For guidance on safer generation, see Are Online Seed Generators Safe?.

Physical theft¶

A seed phrase written on paper and stored in an unlocked drawer is vulnerable to anyone with physical access. Cold storage best practices and secure physical storage are essential. Our Cold Storage Guide covers the physical security dimension.

Social engineering¶

Attackers impersonate wallet support teams, exchange staff, or even friends to convince victims to reveal their seed phrases. No legitimate service will ever ask for your seed phrase.

Weak entropy¶

If the random number generator used to create the seed phrase was flawed, the actual entropy may be far less than 128 bits. A seed phrase generated from Math.random() or a predictable source might have only 30-50 bits of effective entropy, which is absolutely within brute-force range. This is why the entropy source matters critically; see What Is Entropy in Crypto? for the full explanation.

Supply chain attacks¶

Compromised hardware wallets, tampered software downloads, or pre-generated seed phrases included in device packaging have all been documented attack vectors. Always verify the integrity of your tools and never use a seed phrase that was generated by someone else or pre-printed with a device.

Making Your Seed Phrase Uncrackable¶

The mathematical security of a BIP39 seed phrase is already effectively absolute. Your job is to ensure that the practical security matches the theoretical security.

1. Use a cryptographically secure generator¶

Generate your seed phrase with a tool that uses crypto.getRandomValues() or equivalent hardware-backed randomness. SafeSeed's generators use the Web Crypto API for all entropy, ensuring the full 128 or 256 bits of randomness are cryptographically sound.

2. Generate offline when possible¶

Disconnect from the internet before generating your seed phrase. An air-gapped environment eliminates network-based exfiltration. See How to Generate a Bitcoin Seed Phrase Offline for step-by-step instructions.

3. Store securely¶

Write your seed phrase on durable material (steel plates resist fire and water better than paper). Store it in a physically secure location. Consider splitting it using Shamir's Secret Sharing if you need distributed backup. Our Private Key Security Best Practices guide covers storage in depth.

4. Never enter your seed phrase digitally¶

Do not type your seed phrase into any website, application, or digital document unless you are restoring a wallet in a trusted application you initiated. If someone asks you to "verify" your seed phrase online, it is a scam. Every time.

5. Consider a passphrase¶

BIP39 supports an optional passphrase (sometimes called the "25th word") that is combined with the mnemonic during seed derivation. This adds a layer of protection: even if an attacker obtains your 12 or 24 words, they cannot derive your wallet without the passphrase. The trade-off is that if you forget the passphrase, your funds are equally inaccessible to you.

The numbers are unambiguous. A properly generated 12-word seed phrase has 340 undecillion possible combinations. No computer, no network of computers, no quantum computer, and no theoretical future technology can search through that space. The math is not close to breakable; it is not even in the same universe as breakable.

Your seed phrase's security depends entirely on two things: the quality of the entropy that generated it, and your discipline in keeping it secret. Get those right, and the cryptography handles the rest.