Your Bitcoin wallet’s security boils down to a list of random words. But how random is random? And how hard would it be for someone to guess your seed phrase?
When setting up a new wallet, you’re typically given 12 or 24 words to back it up. Many assume this is just a long password. But the truth is far more interesting.
What are the odds of someone generating the same phrase as you? What protections exist against typos, missing words, or writing them in the wrong order? And why can’t you just make up your own list?
In this walkthrough, we’ll generate a new mnemonic and explore how it was built from raw entropy, how it’s validated, and how it becomes a Bitcoin wallet. Hit “Generate” to get started.
🔑 Mnemonic Generator
Disclaimer: For demo purposes only. Do not use this mnemonic for storing Bitcoin, and never - under any circumstances - enter your real mnemonic into any website.
What you’ve just generated is a known as a BIP39 mnemonic. This phrase is statistically unique - the odds of it ever appearing again are effectively zero.
For the purposes of storing Bitcoin, one of the most compelling things about BIP39 mnemonics is that they encode everything that’s needed for a fully-functional and completely valid Bitcoin wallet. No third party is required to register or authenticate your phrase. In fact, you could run through the generation process offline using pen and paper, store your mnemonic and keys in your head, and a friend could send you Bitcoin immediately.
Please don’t actually do this - use a proper hardware wallet.
Before diving into exactly how your mnemonic was generated, let’s explore some of its interesting properties. Try changing the spelling of a word, adding a word, or reordering your words, and see what happens. Hit ‘Reset’ to restore your original mnemonic.
✅ Mnemonic Validator
Changing a single letter of one word makes your mnemonic invalid. Note that we’re not just talking about it being incorrect - when a mnemonic is invalid, it means the sequence of words couldn’t ever be used to generate or restore a wallet. It’s the difference between “there’s no Bitcoin on this wallet” versus “this is not a valid Bitcoin wallet”.
This is because BIP39 mnemonics have their own strict rules. These govern not only which words are allowed, but also describe a mechanism for encoding a mnemonic’s ‘fingerprint’ into the phrase itself, to check its validity.
But before we dive into that, let’s take a step back. When you clicked “Generate” above, what exactly happened?
Harnessing entropy
You don’t need permission. You don’t need violence. You don’t need to ask a politician, a teacher, or a banker. You just need a really big number.” - Jack Mallers
To store Bitcoin, all you need is a very large number. Your wallet uses this number to generate all the keys and addresses that will be uniquely yours.
It is vital that this number is completely random. Anything that a human thinks is random almost certainly won’t be random enough. You could generate a sufficiently random number by flipping a (fair) coin or rolling dice - and in fact, some people do exactly that. But since we have a computer at our disposal, we’ll use a cryptographically secure random number generator to make things faster and less error-prone.
For our 12, 18, or 24 word phrase, we need 128, 192, or 256 bits of randomness, meaning a binary string of ones and zeros of that length.
Below, you’ll find the exact entropy (randomness) used to generate your mnemonic phrase. You can change your entropy by tapping on individual bits.
Go ahead and flip a bit - see what happens.
🎲 Entropy Visualiser
How big is this number?
Our brains are not very good at grasping the scale of anything really big. We lack any frame of reference to grasp the difference between a billion and trillion, let alone a decillion. So here’s a quick analogy to illustrate the scales we’re talking about…
Imagine if every person alive today arrived on this page and clicked the “Generate” button, just as you did. Imagine they kept clicking it, once per second, generating a new wallet each time, and continued clicking it for the next 4 billion years (longer than planet Earth has had life). Even if you gave each of the ~8 billion people on Earth today an army, which was itself the size of the Earth’s population, and set them to work clicking the button, you wouldn’t even come close to the scale of the Bitcoin keyspace.
Bear in mind: this analogy applies to just 128 bits of entropy — the kind you’d get from a 12-word recovery phrase. If you chose a 24-word phrase, you’d be working with 256 bits of entropy. That’s a number so large, it’s comparable to the total number of atoms in the observable universe.
Encoding entropy
Suffice to say, you now have a very big number.
But this number doesn’t make a great password. It’s hard to remember, troublesome to store, and error-prone to type out. If you make a mistake, you risk permanently losing access to your funds. By encoding your entropy as a BIP39 mnemonic, you gain two important benefits:
- Resistance to mistakes: The original BIP39 spec defined a list of 2048 English language words. It avoids similar words (e.g.
buildvsbuilt), meaning each word is sufficiently unique that the first 4 letters are enough to identify it. - Self-validation: If you switch one valid word for another, your mnemonic will probably be invalidated (as demonstrated by the validator, earlier). This is thanks to a checksum; a digital fingerprint in your final word.
You might’ve noticed how changing a single bit in the middle of your entropy usually results in two words changing, not just one. Almost all changes will result in the final word changing. This is thanks to the checksum.
To understand exactly how the checksum works, and how your entropy is mapped to the word list, we must take a brief detour into SHA-256 hashes.
🔐 SHA-256 Hash Demo
Type anything below to see its SHA-256 hash as hexadecimal or binary.
Type anything into the field above - be it a single letter to a whole paragraph - and you’ll get a cryptographic hash (or ‘fingerprint’) that’s exactly 256 bits in length.
Some useful properties of the SHA-256 algorithm:
- One way: Hashing something is almost instantaneous. But it’s impossible to go in the opposite direction; to derive an input from its hash. The only way to do this is to try various inputs until you get the hash you’re looking for.
- Deterministic: Hashes look random, but they’re not. A given input will always produce the same output. And yet changing a single character in the input changes the resulting hash unrecognisably.
- Consistent length: You could put a 6GB HD movie through the SHA-256 algorithm, and the resulting hash would still only be 256 bits long.
- Collision resistance: The number of possible hashes is - for our purposes - infinite. The odds of two different inputs resulting in the same hash are so small that they’re considered negligible, even when accounting for the birthday problem.
The SHA-256 algorithm is used in multiple parts of the Bitcoin network. How is it relevant to your mnemonic?
Fingerprinting entropy
Your entropy is hashed using the SHA-256 algorithm to get its unique fingerprint.
A small chunk of this fingerprint - the checksum - is added to the end of your entropy. For 128 bit entropy, the first 4 bits of the hash is used as the checksum, while for 192 or 256 bits of entropy you’ll have a 6 bit or 8 bit checksum respectively.
- 128 + 4 = 132 bits
- 192 + 6 = 198 bits
- 256 + 8 = 264 bits
Whatever the resulting length, it’s always divisible by 11.
And now, at last, we can see how your very large number is converted into words. Each 11 bit chunk maps to a word. 11 bits of data represents 2048 unique possibilities, so there are 2048 words to choose from:
- abandon:
00000000000 - balance:
00010001101 - camera:
00100000101 - daring:
00110111100 - and so on…
The last 4, 6, or 8 bits of your final word are determined by the checksum. Try it out - I’ve highlighted the checksum bits to make them easy to spot:
🔎 Checksum Visualiser
A nice thought experiment which stuck with me: binary is base 2 (two possibilities: 0 or 1). Decimal is base 10 (0-9). Hexadecimal is base 16 (0-9, A-F). The BIP39 system is somewhat like base 2048. Not mathematically, but conceptually; each word represents one of 2048 possibilities, like a language-based counting system.
Before wrapping up, there’s one last question to answer: how does your mnemonic phrase get turned into a wallet, replete with billions of possible addresses at its disposal? This is possible thanks to the innovation of Hierarchical Deterministic wallets.
Securing entropy
HD wallets have become the de-facto industry standard since their introduction in BIP32. BIP stands for Bitcoin Improvement Proposal, in case you were wondering.
An HD wallet derives all its unique addresses and keys from a single source. This is in contrast to older wallets, which required users to store all their private keys individually. It works like this: your mnemonic phrase - and an optional passphrase - is passed through a function called PBKDF2 (or Password Based Key Derivation Function 2). This applies the HMAC-SHA512 algorithm repeatedly to produce a 512-bit wallet seed. It’s computationally slow by design, as a way to provide some protection against brute-force attacks.
The resulting wallet seed deterministically derives the same keys and addresses every time, enabling full recovery from backup.
🔒 Wallet Seed Generator
Your generated mnemonic phrase and seed:
Disclaimer: For demo purposes only. Do not use this seed for storing Bitcoin, and never - under any circumstances - enter your real mnemonic or seed into any website.
Note that by changing your passphrase, you get a completely different seed. This is what makes the passphrase feature so powerful - and potentially so dangerous when misunderstood.
The key point is this: for a given mnemonic phrase, an effectively infinite number of unique wallets can be generated simply by changing the passphrase. By default, an empty passphrase is passed into the PBKDF2 function, so any additional wallets which are passphrase-protected can be described as ‘hidden’ wallets:
- Wallet A = mnemonic + [default empty passphrase]
- Wallet B = mnemonic + passphrase_1
- Wallet C = mnemonic + passphrase_2
- and so on…
Passphrases can therefore add an additional layer of security to your Bitcoin custody, and can even be used to create decoy wallets to be surrendered under duress. If you forget your passphrase, however, the associated wallet is permanently irretrievable - regardless of how well you’ve backed up your mnemonic phrase. This is a crucial point to understand, and I’d highly recommend reading this article on passphrases if you’d like to better understand the associated tradeoffs.
They’re not just a password: While sometimes referred to by wallet manufacturers as an “extra” word of your mnemonic phrase, the passphrase is much more powerful than this suggests. In cryptographic terms it’s known as a salt, and - unlike the BIP39 wordlist - anything up to 50 characters will be accepted (including empty spaces and punctuation). Do your research before deciding whether they’re for you.
The universe smiles on encryption
At last we’ve arrived at our destination.
We’ve encoded raw entropy into a mnemonic seed, and followed it through the process of becoming a wallet seed, which will act as the source for billions of potential keys and addresses.
Exactly how this wallet seed becomes keys and addresses will require a deep dive into BIP32 and Hierarchical Deterministic (HD) wallets. This is what I intend to build next.
If you enjoyed this guide or found it valuable, please consider buying me a coffee. I promise it will fuel me to write the interactive guide to HD wallets next!
Loading...
Thanks for reading! Stay safe, keep stacking.
Credits
This page began as notes for myself that I had no intention of publishing. Eventually I coded some basic visualisations, and found them such an intuitive way of grasping the BIP39 system that I decided to develop them into something worth publishing, in the hope of inspiring more people to go on the Bitcoin journey.
I’m indebted to many creators, writers, and leaders in the Bitcoin space for their contributions. Special thanks to:
- Paul Miller’s audited & minimal implementation of BIP39: https://github.com/paulmillr/scure-bip39
- Ian Coleman’s BIP39 tool: https://iancoleman.io/bip39/
- Greg Walker’s explanation of HD wallets (and his feedback on this article): https://learnmeabitcoin.com/technical/keys/hd-wallets/
- Arman the Parman’s tutorial on private keys using dice: https://armantheparman.com/dicev2/
- Tom Honzik of Unchained, for feedback on this article and on passphrases specifically: https://tomhonzik.com
Guide last updated: July 29th, 2025