BIP-39 Standard Explained: How Mnemonic Seed Phrases Work
BIP-39 (Bitcoin Improvement Proposal 39) defines the standard for generating mnemonic sentences — the familiar 12 or 24 word sequences — that encode the entropy used to derive cryptocurrency wallet keys. Published in 2013 by Marek Palatinus, Pavol Rusnak, Aaron Voisine, and Sean Bowe, BIP-39 has become the dominant standard for wallet backup across virtually all major cryptocurrencies.
Understanding BIP-39 at a technical level gives you confidence that your seed phrase backup is reliable and helps you evaluate the security properties of different wallet implementations.
Overview of BIP-39
BIP-39 specifies two processes:
- Mnemonic generation — Converting random entropy into a sequence of human-readable words.
- Seed derivation — Converting the mnemonic words (plus an optional passphrase) into a 512-bit binary seed that can be used with BIP-32 for hierarchical deterministic key generation.
These two processes are deliberately separate. The mnemonic is the human-friendly representation; the seed is the cryptographic input to key derivation.
Step 1: Entropy Generation
The process begins with a block of cryptographically secure random data (entropy). BIP-39 supports five entropy sizes:
| Entropy (bits) | Checksum (bits) | Total (bits) | Words |
|---|---|---|---|
| 128 | 4 | 132 | 12 |
| 160 | 5 | 165 | 15 |
| 192 | 6 | 198 | 18 |
| 224 | 7 | 231 | 21 |
| 256 | 8 | 264 | 24 |
In practice, nearly all wallets use either 128 bits (12 words) or 256 bits (24 words). The other sizes are valid per the specification but rarely implemented.
The quality of the entropy source is paramount. If the random number generator is biased, predictable, or has insufficient entropy, the resulting seed phrase can be guessed by an attacker. See our Entropy and Randomness guide for a detailed treatment of this topic.
Entropy Sources
- Hardware random number generators (HRNG) — Used by hardware wallets like Ledger and Trezor. These sample physical phenomena (thermal noise, shot noise) to produce true randomness.
- Operating system CSPRNG —
/dev/urandomon Linux/macOS,CryptGenRandomon Windows, orcrypto.getRandomValues()in browsers. These are cryptographically secure pseudo-random number generators (CSPRNGs) seeded from hardware entropy sources. - Dice rolls — Some users generate entropy manually using casino-grade dice, mapping rolls to binary or word indices. This eliminates trust in any software or hardware RNG.
Step 2: Checksum Computation
Once the entropy is generated, a checksum is appended:
- Compute the SHA-256 hash of the entropy bytes.
- Take the first
ENT / 32bits of the hash (where ENT is the entropy length in bits). - Append these checksum bits to the entropy.
For 256-bit entropy, this produces 8 checksum bits, making a total of 264 bits.
The checksum serves as an error-detection mechanism: when you enter your seed phrase into a wallet for recovery, the wallet recomputes the checksum. If any word is wrong or words are in the wrong order, the checksum will fail and the wallet will reject the mnemonic. This protects against transcription errors but does not correct them — it only detects that something is wrong.
Checksum Implications
Because the last word of the mnemonic encodes checksum bits, not all words are valid as the final word for a given sequence. For a 24-word mnemonic, the last word encodes 3 bits of entropy and 8 bits of checksum, so only 8 of the 2,048 possible words are valid for any given first 23 words. This is why you cannot freely choose the last word.
Step 3: Mapping to Words
The combined entropy + checksum bits are divided into groups of 11 bits. Each 11-bit group represents an index from 0 to 2,047, corresponding to a word in the BIP-39 word list.
264 bits / 11 bits per word = 24 words
132 bits / 11 bits per word = 12 words
The English Word List
The BIP-39 English word list contains exactly 2,048 words. The list was carefully curated with these properties:
- Unique four-letter prefixes — No two words share the same first four characters. This means
abandoncan be unambiguously identified asaban, which is useful for compact metal backups. - Common vocabulary — Words are simple, widely known English words. No jargon, proper nouns, or obscure terms.
- Avoidance of similar words — Words that could be easily confused (e.g., "woman" and "women") are excluded where possible.
- Character length — All words are between 3 and 8 characters.
Other Language Word Lists
BIP-39 defines word lists in nine languages:
| Language | Status | Notes |
|---|---|---|
| English | Reference standard | Most widely supported |
| Japanese | Standardized | Uses katakana; spaces are ideographic (U+3000) |
| Korean | Standardized | |
| Spanish | Standardized | |
| Chinese (Simplified) | Standardized | |
| Chinese (Traditional) | Standardized | |
| French | Standardized | |
| Italian | Standardized | |
| Czech | Standardized | |
| Portuguese | Standardized |
Important compatibility note: A mnemonic generated with one word list cannot be restored using a different language word list. The word indices are different between languages. Always note which language was used when creating your backup.
Step 4: Seed Derivation (PBKDF2)
The mnemonic sentence is not used directly as a cryptographic key. Instead, it undergoes key stretching using PBKDF2-HMAC-SHA512:
PBKDF2(
password = mnemonic sentence (words joined by spaces, normalized to UTF-8 NFKD),
salt = "mnemonic" + optional_passphrase,
iterations = 2048,
key_length = 512 bits
)
This produces a 512-bit seed that serves as the input to BIP-32 hierarchical deterministic key derivation.
Key Properties of PBKDF2 in BIP-39
Key stretching — The 2,048 iterations of PBKDF2 add computational cost to brute-force attacks. While 2,048 iterations is modest by modern password-hashing standards, the primary security comes from the entropy of the mnemonic itself (128 or 256 bits), not from the key-stretching factor.
Passphrase support — The salt includes an optional passphrase (the "25th word"). If no passphrase is provided, the salt is simply the string "mnemonic". If a passphrase is provided, the salt becomes "mnemonic" + passphrase. This means every different passphrase produces a completely different seed — and therefore a completely different set of keys and addresses — from the same mnemonic.
No validation of passphrase — Unlike the mnemonic checksum, there is no checksum on the passphrase. Any passphrase is valid. Entering the wrong passphrase does not produce an error; it silently generates a different (empty) wallet. This is a feature for plausible deniability but a danger for users who forget their passphrase.
Unicode normalization — The mnemonic and passphrase are normalized using UTF-8 NFKD (Normalization Form Compatibility Decomposition) before being passed to PBKDF2. This ensures consistent seed derivation across implementations, regardless of how the operating system internally represents characters.
Step 5: From Seed to Keys (BIP-32)
The 512-bit seed from PBKDF2 is used as input to BIP-32 (Hierarchical Deterministic Wallets):
- The seed is passed through HMAC-SHA512 with the key "Bitcoin seed".
- The left 256 bits become the master private key.
- The right 256 bits become the master chain code.
- Together, they form the master extended private key (xprv).
From here, BIP-44 derivation paths define a standardized tree structure for deriving coin-specific keys and addresses.
Worked Example
Let us trace through BIP-39 with a simplified example using 128 bits of entropy (12-word mnemonic):
1. Generate 128 bits of entropy
00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000
(This is all-zeros entropy — for illustration only. Never use in practice.)
2. Compute SHA-256 hash
SHA256(0x00000000000000000000000000000000) = 374708fff7719dd5979ec875d56cd2286f6d3cf7ec317a3b25632aab28ec37bb
3. Take first 4 bits of hash as checksum
First byte: 0x37 = 00110111. First 4 bits: 0011.
4. Append checksum to entropy
128 bits of zeros + 0011 = 132 bits total.
5. Split into 11-bit groups
00000000000 → 0 → "abandon"
00000000000 → 0 → "abandon"
00000000000 → 0 → "abandon"
00000000000 → 0 → "abandon"
00000000000 → 0 → "abandon"
00000000000 → 0 → "abandon"
00000000000 → 0 → "abandon"
00000000000 → 0 → "abandon"
00000000000 → 0 → "abandon"
00000000000 → 0 → "abandon"
00000000000 → 0 → "abandon"
00000000011 → 3 → "about"
Result: abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about
This is the well-known test vector for all-zeros entropy. The last word is "about" (not "abandon") because of the checksum bits.
6. Derive seed with PBKDF2
PBKDF2("abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon about", "mnemonic", 2048, 64)
This produces a 512-bit seed used for BIP-32 derivation.
Use the SafeSeed Seed Phrase Generator to see BIP-39 in action. Generate a seed phrase and view the entropy, checksum, and word mapping in real time. Run the tool offline for maximum security.
Security Analysis of BIP-39
Entropy Security
For a 24-word mnemonic (256 bits of entropy):
- The search space is 2^256, approximately 1.16 x 10^77 possibilities.
- Even at a rate of one trillion (10^12) attempts per second, exhaustive search would take approximately 3.67 x 10^57 years — far longer than the age of the universe (1.38 x 10^10 years).
For a 12-word mnemonic (128 bits of entropy):
- The search space is 2^128, approximately 3.4 x 10^38 possibilities.
- At one trillion attempts per second, exhaustive search would take approximately 10^19 years.
Both are computationally infeasible with classical computing.
PBKDF2 Considerations
The 2,048-iteration PBKDF2 adds a constant factor to brute-force attacks but is not the primary security barrier. Some security researchers have noted that 2,048 iterations is low compared to modern key-derivation functions like Argon2 or bcrypt. However, because the mnemonic entropy (128 or 256 bits) is the dominant factor, this is a minor concern in practice.
Checksum Limitations
The checksum catches most transcription errors but:
- It detects but does not correct errors.
- For 12-word mnemonics, only 4 checksum bits exist, meaning approximately 1 in 16 random modifications will pass the checksum.
- The checksum does not protect against word reordering that happens to produce a valid checksum.
Passphrase Risks
The passphrase feature is powerful but introduces risks:
- If you forget the passphrase, the funds are irrecoverable (no "reset" mechanism).
- The passphrase is not validated — any string produces a valid wallet.
- An attacker who obtains the mnemonic but not the passphrase must brute-force the passphrase, which provides additional security proportional to the passphrase's entropy.
BIP-39 Criticisms
BIP-39 is not without critics within the Bitcoin development community.
No Versioning
BIP-39 does not include a version byte, meaning the derivation process is fixed forever. If a future improvement requires a different key derivation function or different parameters, it cannot be signaled within the mnemonic format. This is why some wallets (notably Electrum) use their own mnemonic scheme with versioning.
Tight Coupling to Word List
The mnemonic is dependent on the exact word list. If the word list were ever modified, existing mnemonics could not be recovered. The word lists have been frozen since standardization, but this inflexibility is viewed as a design limitation by some.
Weak Key Stretching
As noted, 2,048 iterations of PBKDF2 is considered weak by modern standards. While this does not materially affect security for high-entropy mnemonics, it provides less protection for shorter or user-chosen passphrases.
Electrum's Alternative
The Electrum wallet uses its own mnemonic scheme that includes versioning and does not rely on a fixed word list. Electrum mnemonics are not BIP-39 compatible. This means an Electrum seed phrase cannot be restored in a BIP-39 wallet and vice versa. Always know which standard your wallet uses.
BIP-39 Implementations
BIP-39 is implemented in virtually every major wallet:
| Wallet | BIP-39 | Word Count | Notes |
|---|---|---|---|
| Ledger | Yes | 24 | Hardware, secure element |
| Trezor | Yes | 12/24 | Also supports SLIP-39 (Shamir) |
| Coldcard | Yes | 24 | Bitcoin-only hardware |
| MetaMask | Yes | 12 | Browser extension |
| Trust Wallet | Yes | 12 | Mobile |
| Exodus | Yes | 12 | Desktop/mobile |
| Electrum | No | 12 | Uses own scheme |
| BlueWallet | Yes | 12/24 | Bitcoin-focused mobile |
Testing and Verification
Official Test Vectors
The BIP-39 specification includes test vectors — known entropy values with their corresponding mnemonic words and derived seeds. These are used to verify that implementations are correct.
You can verify your wallet's BIP-39 implementation by checking against the official test vectors published at:
Verifying Your Seed Phrase
To verify that you have correctly recorded your seed phrase:
- Generate the seed phrase on your hardware wallet.
- Write it down carefully.
- Reset the hardware wallet to factory settings.
- Restore from the seed phrase you wrote down.
- Verify that the same addresses are generated.
- Confirm the wallet can sign transactions.
This process confirms both that your backup is correct and that the wallet's BIP-39 implementation works as expected.
FAQ
What does BIP-39 stand for?
BIP stands for Bitcoin Improvement Proposal. BIP-39 is proposal number 39, which defines the standard for creating mnemonic (human-readable) representations of cryptographic entropy. It was introduced in 2013 and has been adopted by virtually all major cryptocurrency wallets.
Are all 12-word seed phrases BIP-39?
No. Some wallets (notably Electrum) use their own mnemonic scheme that is distinct from BIP-39. While both produce 12-word phrases from word lists, the encoding, word lists, and derivation processes are different. A BIP-39 phrase cannot be used with Electrum's scheme and vice versa. Always check your wallet's documentation.
Can I create my own BIP-39 seed phrase by choosing words?
You should not. While it is technically possible to select 23 words and compute a valid 24th word (to satisfy the checksum), human word selection does not produce sufficient entropy. The security of BIP-39 depends on the words being derived from high-quality random data, not from human choice. Let a CSPRNG generate the entropy.
Why is the word "mnemonic" used as the PBKDF2 salt?
The string "mnemonic" is a fixed salt specified by BIP-39. When a passphrase is used, it is appended to this salt (e.g., "mnemonicMyPassphrase"). Using a fixed known salt ensures consistent seed derivation across all implementations without requiring any additional information beyond the mnemonic and optional passphrase.
Is BIP-39 used only for Bitcoin?
No. BIP-39 is used across virtually all major cryptocurrencies, including Ethereum, Litecoin, Cardano, Solana, and many others. The mnemonic generation and seed derivation process is identical; only the subsequent key derivation paths (defined by BIP-44 coin types) differ between chains.
What is the difference between BIP-39 and SLIP-39?
BIP-39 produces a single mnemonic that represents the full secret. SLIP-39 (Satoshi Labs Improvement Proposal 39) implements Shamir's Secret Sharing, splitting the secret into multiple shares (e.g., 3-of-5). Any threshold number of shares can reconstruct the secret, but fewer shares reveal no information. SLIP-39 uses a different word list and encoding than BIP-39.
How many valid BIP-39 mnemonics exist?
For 24-word mnemonics: 2^256 (approximately 1.16 x 10^77). For 12-word mnemonics: 2^128 (approximately 3.4 x 10^38). These numbers represent the entropy space. The checksum constrains the word combinations but does not reduce the entropy — it simply means not every random sequence of 24 BIP-39 words forms a valid mnemonic.