BIP-39 Mnemonic Guide: Seed Phrases, Entropy, and Derivation Explained

April 20, 2026•9 min read

Every Bitcoin, Ethereum, and Solana wallet ultimately traces back to a sequence of 12 or 24 ordinary English words. Those words are a BIP-39 mnemonic — a human-writable encoding of cryptographic entropy that can regenerate every private key in a hierarchical-deterministic (HD) wallet. Use the BIP-39 Mnemonic Generator to follow along as you read.

Why BIP-39?

Before BIP-39 (Bitcoin Improvement Proposal 39, published 2013), backing up a wallet meant exporting a raw hex private key or a long base58 string — formats that are easy to transcribe incorrectly and impossible to memorize. BIP-39 replaced that with a wordlist encoding that is:

Human-writable — words can be written on paper, stamped into metal, or spoken aloud without ambiguity
Internationally portable — official wordlists exist for English, Chinese (simplified and traditional), Czech, French, Italian, Japanese, Korean, Portuguese, and Spanish
Cross-chain — the same mnemonic regenerates HD wallets for Bitcoin, Ethereum, Solana, and any other chain that implements BIP-32/BIP-44 key derivation

Wordlist Design

The English wordlist contains exactly 2048 words. That number is not arbitrary: 2048 = 2¹¹, so each word encodes exactly 11 bits of information. The list was curated with several constraints:

4-character uniqueness — no two words share the same first four characters. This means a mnemonic can be stored with only the first four letters of each word and still be unambiguous. Hardware wallets exploit this for compact display.
No confusable pairs — words that look or sound similar (e.g., bind / kind) were excluded to prevent transcription errors.
Common vocabulary — all words appear in standard English dictionaries and are recognizable to non-native speakers.

Non-English wordlists follow the same 2048-word, 4-character-unique-prefix rule, but English is the canonical reference. Mixing words from different language wordlists produces an invalid mnemonic and will silently derive a completely different wallet — or no valid wallet at all.

Encoding Math: From Entropy to Words

Generating a mnemonic is a four-step process. Understanding it explains why specific word counts exist and why randomly choosing any 12 words almost never produces a valid phrase.

Generate entropy — draw N bits from a cryptographically secure random number generator (CSPRNG). Valid values: 128, 160, 192, 224, or 256 bits.
Compute checksum — take the SHA-256 hash of the entropy bytes and append the first N/32 bits to the end of the entropy.
Split into 11-bit groups — divide the combined bitstring into groups of 11 bits. Each group is an integer 0–2047 that indexes one word in the wordlist.
Map to words — look up each index in the BIP-39 wordlist to get the final mnemonic.

Word Count and Entropy Table

Words	Entropy bits	Checksum bits	Total bits	Security
12	128	4	132	128-bit (equivalent to AES-128)
15	160	5	165	160-bit
18	192	6	198	192-bit
21	224	7	231	224-bit
24	256	8	264	256-bit (equivalent to AES-256)

12 vs 24 words: 128 bits of entropy is already computationally unbreakable with any foreseeable hardware — brute-forcing a 128-bit keyspace at one billion guesses per second would take longer than the age of the universe. The practical reason to choose 24 words is alignment with institutional security policies or hardware wallets that default to 256-bit seeds.

The Checksum Role

The checksum bits at the end of the bitstring serve a single purpose: detecting invalid mnemonics. When a wallet imports a phrase, it reconstructs the entropy, recomputes the SHA-256 hash, and verifies the checksum bits match.

For a 12-word phrase, 4 checksum bits means there is a 1-in-16 (6.25%) chance that a randomly chosen set of 12 valid English words passes the checksum. For 24 words (8 checksum bits), the probability drops to 1-in-256. This is enough to catch single-word typos and most random guesses, but it is not a collision-resistant hash — do not rely on the checksum for security.

Deriving the Seed from a Mnemonic

The mnemonic phrase is not the seed — it is an input to a key-stretching function that produces the 512-bit seed used by BIP-32 key derivation:

seed = PBKDF2-HMAC-SHA512(
  password  = mnemonic phrase (UTF-8 normalized, NFKD),
  salt      = "mnemonic" + passphrase,
  iterations = 2048,
  dkLen     = 64 bytes  // 512 bits
)

The 2048 iteration count slows down brute-force attacks against short passphrases. The string literal "mnemonic" is a hardcoded prefix in the salt — it is not configurable.

The 25th Word: Passphrase Extension

BIP-39 allows an optional passphrase appended to the "mnemonic" salt string. Because it feeds directly into the PBKDF2 derivation, it produces a completely different 512-bit seed — and therefore a completely different set of wallet addresses — from the same mnemonic.

Key properties of the passphrase:

Not stored anywhere — wallets never save the passphrase. Losing it means permanent loss of access to the funds derived from that passphrase + mnemonic combination.
Plausible deniability — a 12-word mnemonic with no passphrase might hold a small decoy balance, while the same mnemonic with a passphrase holds the real funds. Both are valid wallets.
Any string is valid — an empty passphrase (the default) and a single space are different passphrases producing different seeds. There is no checksum; a typo silently opens a different empty wallet.

Derivation Paths

The 512-bit seed feeds into BIP-32 hierarchical-deterministic key derivation. BIP-44 standardized a path structure that encodes purpose, coin type, account, change, and address index:

m / purpose' / coin_type' / account' / change / address_index

Common paths used by major wallets:

Chain	Standard	Path	Notes
Bitcoin (Legacy)	BIP-44	`m/44'/0'/0'/0/0`	P2PKH addresses starting with 1
Bitcoin (SegWit)	BIP-84	`m/84'/0'/0'/0/0`	Native bech32 addresses starting with bc1
Ethereum	BIP-44	`m/44'/60'/0'/0/0`	Same path used by MetaMask, Ledger, Trezor
Solana	BIP-44	`m/44'/501'/0'/0'`	Ed25519 keys; Phantom and Solflare default

The apostrophe (') denotes hardened derivation, which prevents child key compromise from leaking the parent private key.

Code Examples

Node.js

npm install bip39

import * as bip39 from 'bip39';

// Generate a 12-word mnemonic (128-bit entropy)
const mnemonic12 = bip39.generateMnemonic(128);
// Generate a 24-word mnemonic (256-bit entropy)
const mnemonic24 = bip39.generateMnemonic(256);

// Validate a mnemonic (checks wordlist + checksum)
const isValid = bip39.validateMnemonic(mnemonic12); // true

// Derive the 512-bit seed (optional passphrase)
const seed = await bip39.mnemonicToSeed(mnemonic12, 'optional-passphrase');
console.log(seed.toString('hex')); // 128 hex chars = 64 bytes

Python

pip install mnemonic

from mnemonic import Mnemonic
import hashlib, hmac

mnemo = Mnemonic("english")

# Generate
words = mnemo.generate(strength=128)   # 12 words
words24 = mnemo.generate(strength=256) # 24 words

# Validate
assert mnemo.check(words) is True

# Derive seed (PBKDF2-HMAC-SHA512)
seed = Mnemonic.to_seed(words, passphrase="")
print(seed.hex())  # 128 hex chars

Rust

# Cargo.toml
[dependencies]
bip39 = "2"

use bip39::{Mnemonic, Language};

fn main() {
    // Generate 12-word mnemonic
    let mnemonic = Mnemonic::generate_in(Language::English, 12).unwrap();
    println!("{}", mnemonic);

    // Derive seed with optional passphrase
    let seed = mnemonic.to_seed("optional-passphrase");
    println!("{}", hex::encode(seed)); // 128 hex chars
}

Common Pitfalls

Never store seeds digitally. A mnemonic in a text file, screenshot, cloud note, or password manager is exposed to remote attackers. Write it on paper or stamp it into metal and store it offline.
Word order is not detected by checksum. Swapping two words in a 12-word phrase will almost always fail the checksum check — but not always. There is roughly a 1-in-16 chance the reordered phrase has a valid checksum that derives a different, empty wallet. Always verify the word order carefully.
Do not mix languages. Substituting even one word from a Spanish or Chinese wordlist into an English mnemonic silently produces a different wallet. Most wallets will reject the phrase outright since the word is not in their wordlist, but some multi-language implementations may not.
Short passphrases are weak. The 2048 PBKDF2 iterations are a mild hardener, not a substitute for passphrase entropy. A four-character passphrase is trivially brute-forceable if the attacker already has your mnemonic. Use a random passphrase of at least 20 characters, or none at all.
Passphrase typos are permanent. There is no checksum on the passphrase. A typo opens a different valid wallet silently. Test your passphrase by deriving the first address and confirming it matches before funding the wallet.

Generate and validate BIP-39 mnemonics directly in your browser with the BIP-39 Mnemonic Generator — all entropy is generated locally and nothing leaves your machine. For related tooling, see also the guides on UUID generation and developer generators overview.