BIP-39 (Bitcoin Improvement Proposal 39) is the technical standard that defines how a random cryptographic seed is converted into a sequence of human-readable words — the seed phrase, mnemonic, or recovery phrase that every cryptocurrency wallet user is instructed to write down and keep safe. BIP-39, combined with BIP-32 (hierarchical deterministic wallets) and BIP-44 (account structure), forms the complete standard behind “write down these 12 words” — the single most important user-facing security concept in self-custody crypto.
The Problem BIP-39 Solves
A cryptocurrency private key is a 256-bit random number — something like:
“`
E9873D79C6D87DC0FB6A5778633389F4453213303DA61F20BD67FC233AA33262
“`
This is impossible for humans to memorize or transcribe reliably. Before BIP-39, users backed up wallet.dat files or raw private keys — easily corrupted, difficult to verify, not human-memorable.
BIP-39 converts this entropy into a sequence of common English words that can be written on paper, memorized, or inscribed in metal.
How It Works
BIP-39 follows a five-step process to convert raw entropy into a human-usable seed.
Step 1: Generate Entropy
Step 2: Compute Checksum
Step 3: Split Into 11-Bit Groups
Step 4: Map to Words
Result:
- 128-bit entropy → 12 words
- 256-bit entropy → 24 words
Step 5: Seed Derivation (PBKDF2)
The BIP-32/39/44 Stack
BIP-39 is one piece of a three-standard system:
| Standard | Function |
|---|---|
| BIP-39 | Converts entropy to human-readable mnemonic words |
| BIP-32 | Defines HD wallet key derivation tree from a 512-bit seed |
| BIP-44 | Standardizes the derivation path structure (account, chain, address index) |
Together: your 12 words → 512-bit seed (BIP-39) → master key → derived accounts for Bitcoin, Ethereum, all chains (BIP-32 + BIP-44).
This is why a single 12-word phrase can back up your Bitcoin wallet AND your Ethereum wallet AND your Solana wallet simultaneously — they all derive from the same seed.
Security Properties
Brute force resistance:
128-bit entropy → 2^128 possible seed phrases ≈ 340 undecillion combinations
256-bit entropy → 2^256 possible seed phrases — computationally infeasible to brute force with any foreseeable technology
Checksum validation:
The last word partially encodes a checksum. Wallets can tell if a mnemonic is invalid — typos tend to fail checksum. (Note: checksums catch random errors, not all wrong seeds — a valid but wrong seed restores a valid but empty wallet.)
Optional Passphrase (25th Word)
BIP-39 supports an optional passphrase (sometimes called a “25th word”) appended to the mnemonic before seed derivation:
- Any passphrase (including an empty one) produces a valid but different seed
- This allows “plausible deniability” — a wrong passphrase reveals a decoy wallet with small funds; the real passphrase reveals the actual holdings
- Warning: losses occur if users forget a passphrase — there is no recovery mechanism
Common Misconceptions
“My 12 words are stored somewhere by my wallet provider”
No wallet that correctly implements BIP-39 stores your seed phrase server-side. The entire point is that the seed is generated and stored only by you. Custodial services (Coinbase, Gemini) don’t use seed phrases — they hold keys for you.
“12 words is less secure than 24 words”
In practice, 128-bit entropy (12 words) is computationally infeasible to brute force. 24 words offer 256-bit security — theoretically stronger, but the practical difference is zero for all current and foreseeable threats. The additional security comes at the cost of more words to back up and verify.
“If someone finds your seed phrase, they can only steal Bitcoin”
A BIP-39 seed phrase controls all derived wallets for all chains — Bitcoin, Ethereum, Solana, and any other BIP-44-compatible blockchain. The attacker can drain all assets across all supported chains.
History
- 2012 — Pieter Wuille publishes BIP-32, defining hierarchical deterministic (HD) wallets and the key derivation model that BIP-39 would later feed into.
- 2013 — Marek Palatinus (slush) and Pavol Rusnak propose BIP-39 to standardize mnemonic backup phrases for Bitcoin wallets, with an accompanying 2,048-word English wordlist.
- 2014 — BIP-44 published by Palatinus, Rusnak, and others, completing the three-standard stack and defining the multi-account derivation path structure used across all major wallets today.
- 2016–2018 — Ledger and Trezor hardware wallets adopt BIP-39 as their primary backup standard, making seed phrase backup the de facto recovery method across the hardware wallet industry.
- 2020s — MetaMask, Phantom, and Coinbase Wallet extend BIP-39/44 support across EVM and non-EVM chains; the standard becomes the universal wallet backup format regardless of blockchain. Additional language wordlists (Chinese, Japanese, Spanish, Korean, French, Italian, Czech, Portuguese) are merged into the BIP-39 spec.
Related Terms
Sources
- BIP-39: Mnemonic Code for Generating Deterministic Keys — Palatinus & Rusnak (2013). The original specification defining the wordlist, entropy-to-mnemonic process, and PBKDF2 seed derivation.
- BIP-32: Hierarchical Deterministic Wallets — Wuille (2012). Defines the HD wallet key derivation tree that BIP-39 seeds feed into.
- BIP-44: Multi-Account Hierarchy for Deterministic Wallets — Palatinus et al. (2014). Standardizes the derivation path structure (m/purpose’/coin_type’/account’/change/index) used by all major wallets.