ShopA Bitcoin seed phrase is a sequence of 12 or 24 common English words that encodes the master seed from which a Bitcoin wallet generates every private key, public key, and address it will ever use. It is the single most important piece of information in a Bitcoin self-custody setup.
What is a Bitcoin Seed Phrase?
When you set up a Bitcoin wallet, the first thing it does is generate a list of words and tell you to write them down. Those words are your seed phrase, which is completely different from a username, password, or PIN. They are the entire cryptographic foundation of your wallet in a format you can record on paper.
Generating a seed phrase is the first step to produce private keys, which are the focal point in controlling and owning bitcoin.
The Key-Cutter Analogy
You can think of a seed phrase as Master Key-Cutting Machine, and each private key is a unique key it produces. The machine itself never fits into a lock, but it holds the internal logic required to create an infinite number of keys that will always fit their specific doors perfectly.
From those 12 or 24 words, every private key, public key, and receiving address your wallet uses can be derived and reproduced on any compatible wallet software, at any time.
The words themselves come from a standardized list of 2,048 common English words defined by BIP39, a Bitcoin Improvement Proposal that established the seed phrase format. Each word in the list corresponds to an 11-bit value, which is how a sequence of words can encode a large random number. The word format exists because numbers are hard to transcribe accurately without error. Words are easier to write, read, and verify.
You may also see seed phrases called "recovery phrases" or "mnemonics." These all refer to the same thing, but seed phrase is the most precise term.
Is a Seed Phrase the Same as a Private Key?
Seed phrases are not private keys.
A private key is a 256-bit number that controls bitcoin at a specific address If you lose a private key and are unable to recover it, you lose access to the bitcoin sent to that address. If someone else gets the private key, they control that bitcoin.
A seed phrase encodes the master seed from which every private key in the wallet is derived. It controls not one address but the entire key hierarchy, covering every address, every key, and every amount of bitcoin the wallet contains or will ever generate. If you lose the seed phrase or someone else gains access to it, you lose all of it.
This is why the seed phrase is the backup and is more consequential that individual private keys. In a properly constructed HD wallet, you do not back up individual private keys, because they are all derivable from the seed phrase. The phrase is the complete and sufficient backup for the entire wallet.
Seed Phrase vs. Password
A seed phrase is also not a password. A password is something that you can choose and which authenticates you to a central service that checks it against a stored record. That service can reset or recover your password, or deny you access to the service if they choose.
A seed phrase has no service, no server, and no stored record on the other end. It is the mathematical root of the key hierarchy. Entering your seed phrase is not the equivalent to logging into an app, and should be treated with much more care and caution.
It is worth stating plainly that there is no legitimate reason for any website or service to have access to your seed phrase. Requests for it, whether framed as verification, recovery, synchronization, or any other purpose, are attempts to *teal your wallet. The only place a seed phrase should ever be entered is into a hardware signing device during setup or restoration.
What is the Difference Between 12 and 24 Words?
The short answer is that both 12-word and 24-word seed phrases are secure. Neither is vulnerable to brute-force attack with any computing technology that exists or is foreseeable. The difference is how much entropy each encodes.
-
A 12-word seed phrase encodes 128 bits of entropy. The number of possible 12-word seed phrases is 2¹²⁸, a number with 39 decimal digits. To put that in perspective, if every computer on earth made a trillion guesses per second, checking that many possibilities would take far longer than the current age of the universe.
-
A 24-word seed phrase encodes 256 bits of entropy. The number of possible 24-word phrases is 2²⁵⁶, roughly the same order of magnitude as the number of atoms in the observable universe. The key space is approximately 2 × 10⁷⁷.
The practical difference between them is not security against brute force. At 128 bits, a 12-word phrase is already beyond any realistic attack. The difference comes down to personal preference. Some users prefer 24 words as a margin against future cryptographic advances, even if those advances remain hypothetical. Others find 12 words sufficient and prefer the shorter phrase to write down and verify.
Both formats are Bitcoin-standard, defined in BIP39 and both are supported by every major hardware signing device and wallet software. Choosing between them is a judgment call, not a security imperative.
What Happens if You Lose Your Seed Phrase?
If you lose your seed phrase and have no backup, access to every key and bitcoin in that wallet is permanently gone. There is no customer support to call, no account recovery form to fill out, and no authority with any ability to help.
No company holds a copy of your seed phrase. When your wallet generates the seed phrase, it does so on your device, and the words are shown only to you. They are not transmitted to any server and not retained by any service. Where you write them is the only place they exist.
There is no recovery path within the Bitcoin protocol to recover a lost seed phrase. The seed phrase produces keys through a mathematical process, and without the input, the output of your private keys cannot be reproduced. In such a situation, your bitcoin holdings at addresses derived from that seed remain on the ledger, visible, unchanged, permanently recorded, but unspendable. They are simply locked to addresses whose corresponding keys can no longer be produced, and will sit there indefinitely.
The implications of losing your seed phrase means that you should treat it with utmost care. You should also record and safely secure your seed phrase before any funds are sent to addresses derived from it. This should not be a follow-up task to do later, but as the first act after the wallet is generated.
How Should You Store a Seed Phrase?
Given the severity of losing your seed phrase, storage and safe keeping are paramount. The backup must exist, and it must survive the scenarios that are most likely to threaten it.
Since your seed phrase controls the entire wallet, its storage deserves the same care given to any high-value physical asset. The threats to a seed phrase backup are physical theft, environmental destruction, and single points of failure. Each of the following practices addresses one or more of them.
-
Write it down, offline. Paper is acceptable, however a dedicated metal backup, stamped or engraved, is more durable and fire-resistant. Neither requires any electronic device as the goal is a physical record that exists independently of any internet-connected electronically-dependent system.
-
Do not store it digitally. A photo on your phone, a note in a cloud service, or an email to yourself is not a good storage solution. Each of these stores the seed phrase on systems that are internet-connected, potentially synchronized across devices, and subject to both remote compromise and platform failure. A seed phrase in a cloud folder can be accessed by anyone who can gain access to that folder.
-
Keep it separate from the signing device. If the seed phrase and the signing device are in the same location and that location is compromised (burglary, fire, flood), both are lost together. Storing them separately means a compromise of one location does not mean a loss of the wallet.
-
Consider redundancy. A single paper backup in a single location is a single point of failure. Many users keep more than one backup in more than one location. The right approach depends on your threat model. What are the realistic risks to a given storage location, and how much of the key hierarchy would be exposed if that location were compromised? Bitcoin Security Threat Models covers this in greater detail.
-
Guard it as a physical asset. Anyone who sees, photographs, or reads your seed phrase has the information needed to reconstruct your wallet and take your bitcoin. A briefly visible seed phrase is a permanently vulnerable one.
There is also an optional extension worth knowing. A passphrase (sometimes called the 25th or 13th word) can be added to the seed phrase to create a separate wallet derivable only when both the phrase and the passphrase are known together. This is not a requirement, but it is a meaningful option for users who want an additional layer of protection.
How is a Seed Phrase Generated?
The words in a seed phrase are not chosen by you and are not random in the casual sense. They are generated by the wallet from cryptographically secure randomness, then transformed into words through a defined process.
The generation process works in six steps:
-
Generate entropy. The wallet uses a cryptographically secure random number generator (CSPRNG) to produce a random number. For a 12-word phrase, this is 128 bits of entropy. For a 24-word phrase, it is 256 bits. Some hardware wallets let you contribute your own randomness, such as rolling dice repeatedly to generate the random number.
-
Append a checksum. The wallet computes the SHA-256 hash of the entropy and takes the first few bits of that hash as a checksum. A checksum is an internal security check that uses a mathematical formula to verify a string of data, ensuring that any accidental typo or malicious alteration is immediately flagged as an invalid entry. For 128 bits of entropy, the checksum is 4 bits, whereas for 256 bits, it is 8 bits. This checksum is appended to the entropy, producing 132 or 264 bits in total.
-
Divide into 11-bit groups. The combined bit string is split into groups of 11 bits each. A 12-word phrase has 12 groups, whereas 24-word phrase has 24 groups.
-
Map each group to a word. Each 11-bit value (ranging from 0 to 2,047) maps to the corresponding word in the BIP39 wordlist. For example, '00000000000' corresponds to the 1st word (“Abandon”), '00000000001' corresponds to the 2nd word (“Ability”), and so on until '11111111111' corresponds to the 2,047th word (“Zoo”). This produces the sequence of words you write down.
-
Derive the 512-bit master seed. The wallet feeds the mnemonic phrase into a computational function called PBKDF2-HMAC-SHA512. This function runs 2,048 rounds of processing on purpose, making it slow enough that an attacker trying to guess your phrase would face an enormous amount of work. The output is a 512-bit master seed: a large block of data that serves as the cryptographic starting point for generating all your keys.
-
Derive the master key. The master seed gets passed into BIP32, which splits it into two pieces: a master private key and a master chain code. Together, these are the root of the wallet. Every private key, public key, and address branches out from them in a structured hierarchy.
What this means end to end is that every private key, public key, and address your wallet generates flows from those 12 or 24 words through this deterministic process. The same words, in the same order, always produce the same keys, on any BIP39/BIP32-compatible wallet. The seed phrase is the wallet.
Related articles
How Bitcoin wallets work
How Bitcoin wallets generate keys, derive addresses, and sign transactions, and why they store keys, not bitcoin.
What is a Bitcoin private key?
The 256-bit secret number that proves Bitcoin ownership: what it is, how it works, and why it must never be shared.
HD wallets and Bitcoin derivation paths
How HD wallets derive every key from a single seed, and what the derivation path numbers mean.
What is Bitcoin self-custody?
Why holding your own keys is the only way to truly own your bitcoin