BIP39 Mnemonic Phrases Explained

If you have ever set up a cryptocurrency wallet, you have been asked to write down 12 or 24 words. Those words are your mnemonic phrase, also known as a seed phrase or recovery phrase. They are generated using a standard called BIP39, and they are the master key to all of your crypto assets. This guide explains exactly how BIP39 works, from random number generation to wallet derivation.

What is BIP39?

BIP39 stands for Bitcoin Improvement Proposal 39. Published in 2013 by Marek Palatinus (Slush), Pavol Rusnak, Aaron Voisine, and Sean Bowe, it defines a standard method for generating mnemonic sentences from random data and converting those sentences into a binary seed that can be used to create deterministic wallets.

Before BIP39, wallet backups required saving raw private keys or complex hex strings. BIP39 solved this by converting cryptographic randomness into human-readable words that are easier to write down, verify, and store.

The standard has been universally adopted. MetaMask, Ledger, Trezor, Trust Wallet, Phantom, and virtually every modern cryptocurrency wallet uses BIP39 mnemonic phrases.

How BIP39 Mnemonic Generation Works

The process of generating a mnemonic phrase has four steps:

Step 1: Generate Random Entropy

The foundation of a mnemonic phrase is cryptographically secure random data, called entropy. The amount of entropy determines the number of words:

Most wallets use either 128 bits (12 words) or 256 bits (24 words). The 12-word format provides 128 bits of security, which is considered secure against brute-force attacks for the foreseeable future. The 24-word format provides 256 bits, which is astronomically more secure.

Step 2: Add Checksum

A checksum is appended to the entropy to enable error detection. The checksum is calculated by taking the SHA-256 hash of the entropy and using the first N bits, where N = entropy_bits / 32.

For 128-bit entropy:
Entropy: 128 bits of random data
SHA-256(entropy): 256-bit hash
Checksum: first 4 bits of the hash
Total: 128 + 4 = 132 bits

This checksum allows wallets to verify whether a mnemonic phrase is valid. If you mistype a word, the checksum will not match, and the wallet can alert you to the error.

Step 3: Split Into 11-Bit Groups

The combined entropy + checksum bits are divided into groups of 11 bits. Each 11-bit value maps to an index in the BIP39 wordlist.

132 bits / 11 bits per word = 12 words
264 bits / 11 bits per word = 24 words

Since 11 bits can represent values from 0 to 2047, the wordlist contains exactly 2,048 words.

Step 4: Map to Words

Each 11-bit group is used as an index to look up a word from the BIP39 wordlist. The result is your mnemonic phrase.

Example (simplified):
Entropy + checksum bits: 00000000000 00001100100 ...
                         ↓           ↓
Word index:              0           100
Word:                    "abandon"   "blur"

Complete Example

Here is a concrete example of generating a 12-word mnemonic from 128 bits of entropy:

1. Entropy (128 bits, hex):
   0c1e24e5917779d297e14d45f14e1a1a

2. SHA-256 of entropy:
   2e17e5d2af3e8b97a4b028e8710d45ab...

3. Checksum (first 4 bits of SHA-256):
   0010

4. Entropy + checksum (132 bits), split into 11-bit groups:
   00001100000 11110001001 00111001011 ...

5. Word indices:
   96, 1929, 475, 2038, 1505, 1625, 580, 1997, 1063, 1950, 209, 1551

6. Mnemonic:
   army van deer turn pause ring estate match patrol voyage ring piece

You can generate your own mnemonic phrases using our BIP39 Mnemonic Generator. The generator runs entirely in your browser — no data is sent to any server.

The BIP39 Wordlist

The English BIP39 wordlist contains exactly 2,048 words. The words were carefully selected with several criteria:

1. Unique 4-letter prefix: No two words share the same first four characters. This means you can identify any word by its first four letters, which is useful for compact backup storage.
2. Common English words: Words are simple and widely known (e.g., "apple," "river," "garden") to reduce transcription errors.
3. No offensive words: Potentially offensive or inappropriate words were excluded.
4. No similar words: Words that look or sound alike (e.g., "woman" and "women") were avoided to prevent confusion.

BIP39 also defines wordlists for other languages including Japanese, Korean, Spanish, Chinese (Simplified and Traditional), French, Italian, and Czech. However, the English wordlist is by far the most widely used and is the default in most wallet software.

Sample Words from the Wordlist

From Mnemonic to Seed: PBKDF2

The mnemonic phrase alone is not directly used as a cryptographic key. Instead, it is converted into a 512-bit binary seed using the PBKDF2 key-stretching function:

Seed = PBKDF2(
  password: mnemonic_sentence,    // words joined by spaces
  salt: "mnemonic" + passphrase,  // optional passphrase
  iterations: 2048,
  key_length: 512 bits,
  hash: HMAC-SHA512
)

The Optional Passphrase

BIP39 supports an optional passphrase (sometimes called the "25th word"). This passphrase is appended to the salt during PBKDF2 derivation. Important properties:

• Different passphrase = completely different seed = completely different wallets
• The passphrase provides plausible deniability: you can have a decoy wallet (no passphrase) and a real wallet (with passphrase)
• There is no "wrong" passphrase. Any passphrase will generate a valid seed; it will just derive a different set of keys
• If you forget your passphrase, you cannot recover your wallet, even with the correct mnemonic

Mnemonic: "army van deer turn pause ring estate match patrol voyage ring piece"

No passphrase:  Seed → Wallet A (with its own addresses and keys)
Passphrase "x": Seed → Wallet B (completely different addresses and keys)
Passphrase "y": Seed → Wallet C (yet another set of addresses and keys)

From Seed to Wallet: BIP32 and BIP44

BIP39 generates the seed, but the actual wallet structure is defined by two companion standards:

BIP32: Hierarchical Deterministic Wallets

BIP32 defines how to derive a tree of key pairs from a single master seed. The seed is fed into HMAC-SHA512 to produce a master private key and a master chain code. From these, an unlimited number of child keys can be derived.

Seed (512 bits)
  → HMAC-SHA512
    → Master Private Key (256 bits) + Master Chain Code (256 bits)
      → Child Key 1
        → Grandchild Key 1a
        → Grandchild Key 1b
      → Child Key 2
        → ...

BIP44: Multi-Account Structure

BIP44 defines a specific derivation path structure for organizing keys across different cryptocurrencies and accounts:

m / purpose' / coin_type' / account' / change / address_index

m/44'/0'/0'/0/0    → First Bitcoin address
m/44'/60'/0'/0/0   → First Ethereum address
m/44'/501'/0'/0'   → First Solana address

This is why a single 12-word mnemonic can generate addresses for Bitcoin, Ethereum, Solana, and hundreds of other chains. Each chain uses a different coin_type value in the derivation path.

Security Considerations

Entropy Quality

The security of a mnemonic phrase depends entirely on the quality of the random number generator. A mnemonic generated from predictable data (timestamps, sequential numbers, weak PRNGs) can be brute-forced. Always use a cryptographically secure random number generator (CSPRNG). In browsers, this is crypto.getRandomValues(). In Node.js, use crypto.randomBytes().

Brute Force Resistance

A 12-word mnemonic has 128 bits of entropy, which means there are 2^128 (approximately 3.4 x 10^38) possible combinations. At one trillion guesses per second, it would take approximately 10^19 years to try all combinations. This is secure against any foreseeable computing capability.

A 24-word mnemonic has 256 bits of entropy, which is secure even against theoretical quantum computers using Grover's algorithm (which would reduce effective security to 128 bits).

Storage Best Practices

1. Write on paper or metal: Never store your mnemonic phrase digitally (no screenshots, no cloud storage, no notes app).
2. Store in multiple locations: Keep copies in separate physical locations to protect against fire, flood, or theft.
3. Never share: No legitimate service will ever ask for your mnemonic phrase. Anyone who has your phrase has full control of your funds.
4. Consider metal backup: Paper can be destroyed by fire or water. Metal backup plates (stamped or engraved) provide more durable storage.
5. Use the passphrase feature: Adding a passphrase provides an additional layer of security and enables plausible deniability.

Frequently Asked Questions