Article

What Is a Seed Phrase? BIP-39, 12 vs 24 Words, Security, and Safer Alternatives

September 9, 2025
This content is for educational purposes only and should not be considered financial advice. Crypto investments carry risks, including loss of capital. Always do your own research or consult a licensed advisor before investing.This content is for educational purposes only and should not be considered financial advice. Crypto investments carry risks, including loss of capital. Always do your own research or consult a licensed advisor before investing.

A seed phrase is a human-readable backup that restores your crypto wallet. Under the BIP-39 standard, 12 or 24 words encode strong randomness plus a checksum, which a wallet converts into a master key that can derive every account and address. Protect it offline, never share it, and consider a passphrase for extra security.

Key Takeaways

  • A seed phrase (mnemonic, recovery phrase) backs up the private keys for all accounts in a compatible wallet.
  • BIP-39 defines how wallets turn random bits into a list of words, then into a root seed that restores everything.
  • 12 words provide ~128-bit security, 24 words ~256-bit. Twelve words are already extremely strong for most users.
  • A passphrase (the “25th word”) hardens your backup, but losing it means funds are irrecoverable.
  • Do not take photos, upload to cloud drives, or type your seed into websites. Store offline, ideally on metal.
  • Newer options like MPC wallets and social recovery reduce seed-handling but introduce different trade-offs.

What is a seed phrase?

Seed phrases use words instead of numbers or code because words are easier for humans to read, write, and transcribe without errors. If your backup were shown in raw hexadecimal (a string of long numbers and letters), the chance of mistakes would skyrocket.

To solve this, BIP-39 introduced a fixed wordlist of 2048 carefully chosen words. These lists exist in multiple languages (English, Spanish, French, Italian, Chinese, Japanese, Korean, and others). Each word has a unique position in the list (from 0 to 2047). When your wallet generates entropy, it slices the random bits into chunks of 11 bits. Each chunk corresponds to a number between 0 and 2047, which is then mapped to a word from the list.

This is why:

  • The order of words matters: the sequence encodes specific entropy + checksum.
  • Spelling must be exact: each word is unique; no synonyms are allowed.
  • Language matters: restoring a seed requires the same language wordlist, otherwise the mapping won’t work.

The official wordlists are published in the BIP-39 standard on GitHub (maintained by Bitcoin developers). The most common one is the English wordlist, which includes words like “apple,” “globe,” “ribbon,” “zebra.” The words were chosen to avoid ambiguity—there are no similar-looking pairs like “pear” vs “peer,” or words with accents.

So, your seed phrase is not just “random words” picked from a dictionary. It’s structured randomness mapped to a standardized list, making it both human-friendly and cryptographically secure.

How BIP-39 works, step by step

  1. Entropy is generated. The wallet creates random bits, for example 128 bits for 12 words or 256 bits for 24 words.
  2. Checksum is added. A small checksum is appended to catch errors.
  3. Words are chosen. The combined bits are split into 11-bit chunks and mapped to a fixed list of 2048 words.
  4. Seed is derived. Your words, plus an optional passphrase, are run through PBKDF2-HMAC-SHA512 to produce a root seed.
  5. Keys are derived. Using BIP-32, the wallet expands this seed into a tree of keys. With BIP-44, keys are organized by coin, account, and address index.

What is entropy?

“Entropy” is a measure of randomness. More bits mean more possibilities.

  • 12 words encode 128 bits of entropy plus a 4-bit checksum.
  • 24 words encode 256 bits of entropy plus an 8-bit checksum.

Even 128 bits is astronomically large. At an unrealistically fast 10^18 guesses per second, the average time to brute-force 128 bits is over 5 trillion years. Twenty-four words provide a margin far beyond that.

Why is it a list of random words?

The words are not arbitrary. They come from the BIP-39 standard, which defines a fixed dictionary of 2048 unique words per language. By converting entropy (randomness) into words, wallets achieve three goals at once:

  • Human usability: words are easier to copy and verify than hexadecimal strings.
  • Error reduction: the dictionary avoids similar-looking or accented words, minimizing mistakes.
  • Standardization: any BIP-39 wallet can interpret the same phrase in the same way.

Each word corresponds to a number from 0 to 2047. Your entropy is split into 11-bit chunks, mapped to words, and combined with a checksum to ensure validity. Most wallets use the English list by default, but others exist. 

The key rule: always restore in the same language and keep the order intact.

How can 12 or 24 words control all my cryptocurrencies?

Your recovery words come from BIP-39, which defines how entropy (randomness) is turned into a mnemonic phrase and then into a seed. That seed is the starting point for everything else.

From there, BIP-32 takes over. It uses the seed to generate a hierarchical deterministic (HD) tree of private and public keys. This means a single root can deterministically produce unlimited accounts and addresses.

Finally, BIP-44 adds structure, standardizing derivation paths so different wallets know where to “look” for your keys.

  • Example Bitcoin path: m/44'/0'/0'/0/0
  • Example Ethereum path: m/44'/60'/0'/0/0
  • Coin type numbers are defined in SLIP-44.

This layered design is why one set of 12 or 24 words can unlock all your coins, tokens, and accounts across any compatible wallet:

  • BIP-39 → creates the seed.
  • BIP-32 → expands it into a key tree.
  • BIP-44 → organizes it by coin and account.
  • SLIP-44 → provides the official list of coin type numbers (e.g., 0 for Bitcoin, 60 for Ethereum) used inside BIP-44 paths.

What is SHA-256?

SHA-256 (Secure Hash Algorithm 256-bit) is a cryptographic hash function widely used in Bitcoin and many other blockchain systems. A hash function takes any input  text, numbers, or data and produces a fixed 256-bit output (a long string of letters and numbers).

Key properties of SHA-256:

  • Deterministic: the same input always produces the same output.
  • One-way: it’s practically impossible to reverse the process and recover the input from the output.
  • Collision-resistant: the chance of two different inputs producing the same output is astronomically small.
  • Uniform: outputs appear random, with no predictable patterns.

In the context of seed phrases and wallets, SHA-256 plays several roles:

  • Entropy checksum: BIP-39 uses SHA-256 to create a checksum from your entropy, ensuring you don’t mistype your recovery words.
  • Address generation: Bitcoin addresses and many blockchain identifiers are derived through SHA-256 hashing.
  • Security backbone: the difficulty of mining in proof-of-work chains like Bitcoin relies directly on the properties of SHA-256.

Think of SHA-256 as a digital fingerprint machine: no matter what you feed it, it produces a unique, fixed-size fingerprint. Even a tiny change in input — flipping one bit — completely changes the fingerprint.

How SHA-256 relates to the checksum

In BIP-39, the checksum is created by taking a SHA-256 hash of the entropy and appending a few bits of that hash to the end of the entropy. These extra bits act as an error check: if a word is mistyped or placed in the wrong order, the checksum will fail and the wallet will reject the phrase as invalid.

12 words vs 24 words: what is the real difference?

Feature 12 words (~128 bits) 24 words (~256 bits)
Practical security Already beyond realistic brute force Extra astronomical margin
Typical use Default for most wallets High-security setups
Restore compatibility Broad Broad
Best for Most users Large or institutional funds

Bottom line: 12 words are enough for nearly everyone; 24 words add margin for very large holdings.

Bottom line: 12 words are enough for almost everyone. Choose 24 if you want maximum theoretical security or operate with very large holdings.

What is a passphrase, and should I use it?

A passphrase is optional text you add to your seed phrase. It is not one of the 2048 BIP-39 words. You choose it freely, like a password.

When you combine your 12 or 24 words with a passphrase, the wallet generates a completely different set of keys and accounts. Without the passphrase, that wallet cannot be restored.

  • ‍Why people use it:‍
    • Extra layer of security if someone steals your recovery words.
    • Ability to create “decoy wallets” with small balances for plausible deniability.
  • Risks you must consider:‍
    • Forget the passphrase, and your funds are gone forever.
    • Writing it down next to your words reduces its security benefit.
    • You need to test your recovery process before moving all funds.
  • ‍Should you use one?‍
    • For most users, 12 or 24 words are already extremely secure.
    • A passphrase is best for advanced users who can manage backups safely.

SLIP-39 and Shamir backups

SLIP-39 splits a secret into multiple word shares using Shamir’s Secret Sharing. You might set 2-of-3 or 3-of-5 shares to recover. This reduces single-point risk, but support is not universal and it is not the same as BIP-39. Only use SLIP-39 if you understand the compatibility trade-offs.

BIP-39 vs BIP-32 vs BIP-44

  • BIP-39: How we turn randomness into words, then a seed.
  • BIP-32: How we derive a tree of keys from that seed.
  • BIP-44: A standard path structure so wallets and coins stay organized and compatible.

Think of BIP-39 as the language of your backup, BIP-32 as the family tree of keys, and BIP-44 as the addressing scheme for different coins and accounts.

Seed phrase security best practices

  • Write your phrase offline. Never photograph or scan it.
  • Keep at least two copies in separate, secure locations.
  • Consider a metal backup that resists fire and water.
  • Do not type your phrase into websites or unknown apps.
  • Use a passphrase if you can store it safely and will not forget it.
  • Test recovery with a small amount before moving all funds.
  • Keep your device firmware and wallet software up to date.

If I lose my seed phrase, is my crypto gone forever?

If your device dies and your seed is gone, funds are unrecoverable. If someone else gets your seed, they can take everything. There is no central recovery. This is why careful backups matter. If you used a passphrase, you also need that passphrase to recover.

Are there better or newer technologies replacing seed phrases?

Several approaches reduce direct seed handling. They do not remove responsibility, they shift it.

  • MPC wallets split your private key into encrypted shares across different devices or servers. No single piece can sign alone, which removes single points of failure. At Bleap, one share stays on your device and one on secure infrastructure, only you can authorize transactions, with no need to manage a seed phrase.
  • Smart accounts with social recovery let trusted “guardians” approve recovery. Examples include account abstraction models where you can replace a lost signer. This reduces seed exposure, but adds setup complexity and guardian risk.
  • Encrypted cloud backups (seedless UX) store secrets in secure enclaves plus cloud recovery. Convenient, but you must evaluate device security, cloud policies, and export options.

Kinds and variations of seed phrases

BIP-39 supports 12, 15, 18, 21, and 24 words. Most wallets default to 12 or 24. There is no meaningful security advantage to odd lengths beyond the entropy increase that comes with longer phrases.

Common and dangerous mistakes with recovery phrases

  • Typing your seed on a computer or website during “support” chats. This is a scam pattern.
  • Photos or cloud storage of your phrase, which can be exfiltrated.
  • Single copy at home, then a fire or move destroys it.
  • Misplaced passphrase, which makes a valid mnemonic useless.
  • Mixing standards, for example trying to restore SLIP-39 words into a BIP-39 wallet.
  • Not testing recovery until it is too late.

Quick setup guide

  1. Generate your wallet offline on a trusted device.
  2. Write down your words legibly, twice.
  3. Decide whether to use a passphrase. If yes, store it separately.
  4. Test a full recovery on a spare wallet with small funds.
  5. After testing, fund the wallet and keep firmware updated.

FAQ

What is BIP-39?

A standard that turns randomness into mnemonic words and then into a root seed used to derive keys.

What is BIP-32?

The hierarchical deterministic method that derives a tree of keys from that seed.

What is BIP-44?

A path convention that organizes accounts and coins so different wallets agree on where keys live.

What is SLIP-39?

A Shamir sharing approach that turns the backup into multiple word shares with thresholds for recovery.

What is the source of the words?

A fixed 2048-word list defined by BIP-39 in several languages, with English most common.

What is entropy in seed phrases?

Entropy is the randomness used to generate your recovery phrase. It ensures your 12 or 24 words are unpredictable. More entropy means more possible combinations: 12 words encode ~128 bits of entropy, while 24 words encode ~256 bits—making brute-force attacks virtually impossible.

What is a checksum in seed phrases?

A checksum is a small piece of error-detecting data added to the entropy before the words are chosen. In BIP-39, it helps prevent mistakes: if you mistype or reorder a word, the checksum won’t match, and the wallet will reject the phrase as invalid.

What is the difference between 12 and 24 words?

Security margin. Twelve words are already extremely strong. Twenty-four words provide a larger theoretical margin.

Should I use a passphrase?

Use it if you can store it safely and will not forget it. It meaningfully hardens your backup.

If I lose my seed, is my crypto gone?

If you also lose access to the device and do not have a passphrase and backup, yes. There is no central recovery.

Are seed phrases being replaced?

They remain the most widely compatible backup. MPC, social recovery, and seedless UX are growing, with different trade-offs.

What are the most common mistakes?

Typing your seed into websites, storing photos of it, keeping a single copy, and losing a passphrase.

Features

Improvements

Bug fixes

Self-custody

Related Articles

Do more with your crypto

Get started
Download
Bleap
Crypto
Buy CryptoCompare Crypto
Card
How crypto card worksCashback 2%Credit Card Comparison
Navigation
HomeLoginHelp
About us
BlogTerms of ServiceRisk DisclosurePrivacy PolicyAmbassador ProgramCareers
Social Media

© Bleap LTD 2025. All rights reserved.

Bleap Sp. z o.o is a limited liability company incorporated in Poland under company number 526782047, with its registered office at Piotrkowska, nr 116, lok. 52, ƁódĆș, 90-006, Republic of Poland and is registered in the Polish Register on Virtual Currencies Business Activity (Cryptocurrencies Register) under number RDWW-1009.

The Bleap Mastercard cards are issued by Unlimint, authorised by the Bank of Cyprus under the electronic money institution license to issue e-money and is a member of Mastercard Scheme. Please note that electronic money products are not covered by the Deposit Insurance System of the Republic of Cyprus. We ensure that any funds received by you are held in a segregated account so that should Unlimint be insolvent your funds will be protected against claims made by our creditors.