BIP-39 (Bitcoin Improvement Proposal 39) is a technical standard that specifies the creation of a mnemonic code or seed phrase for generating deterministic wallets. Its primary function is to translate the binary private key or seed—a long, random number that controls crypto assets—into a sequence of 12 to 24 common English words. This process, known as mnemonic encoding, makes it significantly easier for users to accurately write down and securely back up the single piece of information needed to recover an entire wallet and all its derived addresses. The standard is defined in BIP-39 on GitHub.
LABS
Glossary
BIP-39
BIP-39 is a Bitcoin Improvement Proposal that defines a standard for generating a mnemonic sentence (seed phrase) from random entropy, used to create deterministic cryptocurrency wallets.
Chainscore © 2026
definition
BLOCKCHAIN STANDARD
What is BIP-39?
BIP-39 is the Bitcoin Improvement Proposal that defines the standard for generating human-readable mnemonic phrases, also known as seed phrases or recovery phrases, used to back up and restore cryptocurrency wallets.
The technical process involves several key steps. First, the wallet generates a random entropy (128 to 256 bits). This entropy is then processed through a SHA-256 hash function to create a checksum. A specific number of bits from this checksum are appended to the original entropy. This combined bit sequence is split into groups of 11 bits, each of which maps directly to a predefined word from the BIP-39 wordlist, which contains 2048 simple, unambiguous words. The final word order forms the mnemonic phrase. A critical feature is the inclusion of the checksum, which allows wallets to detect typographical errors when a user is entering their phrase for recovery.
While proposed for Bitcoin, BIP-39 has become a universal standard adopted by thousands of cryptocurrency wallets and blockchains beyond Bitcoin, including Ethereum, Solana, and Cardano. Its widespread adoption means a single BIP-39 phrase can often recover assets across multiple different wallet applications and even different blockchains, provided they use the same derivation path standard (like BIP-32/BIP-44). This interoperability is a key reason for its dominance. However, the security of the entire system rests entirely on the secrecy of this phrase; anyone who obtains it gains full control over the associated funds, underscoring the importance of secure, offline backup.
etymology
STANDARDIZATION
Etymology & Origin
The origin story of BIP-39 reveals the practical challenges of early cryptocurrency storage and the community-driven process of standardizing a critical security component.
BIP-39, or Bitcoin Improvement Proposal 39, is a technical standard that defines the generation of a mnemonic phrase—a human-readable list of words—from which cryptographic keys for a cryptocurrency wallet are deterministically derived. Proposed by Marek Palatinus (Slush), Pavol Rusnak, and Aaron Voisine in 2013, its primary purpose was to create a standardized, cross-compatible method for backing up and recovering private keys, moving beyond error-prone, raw hexadecimal or WIF (Wallet Import Format) strings. The "39" denotes its sequential number in the Bitcoin Improvement Proposal repository, a system for proposing and documenting changes to the Bitcoin ecosystem.
The proposal's genesis was a direct response to the usability and security flaws of early wallet backup methods. Before BIP-39, users often had to manually copy long strings of random characters, a process prone to transcription errors that could lead to permanent fund loss. The innovation was to leverage a predefined wordlist of 2048 common English (and later, multilingual) words. By encoding entropy into this phrase, a user could reliably write down or memorize a backup. The standard specifies the exact process: generating random entropy, calculating a checksum, and mapping the combined bits to the wordlist, ensuring a clear, verifiable, and interoperable recovery process.
The technical etymology of mnemonic code traces back to concepts in cryptography and usability engineering. The use of a wordlist transforms 128 to 256 bits of entropy into a 12 to 24-word phrase, dramatically improving human interaction with cryptographic material. The checksum embedded in the phrase provides an immediate error-detection mechanism. While BIP-39 is inextricably linked to Bitcoin's BIP process, its utility and elegant design led to near-universal adoption far beyond Bitcoin. It is now the de facto standard for seed phrase generation in thousands of cryptocurrency wallets across dozens of blockchains, including Ethereum, Litecoin, and most major altcoins, cementing its role as a foundational piece of crypto infrastructure.
how-it-works
MNEMONIC SEED PHRASE STANDARD
How BIP-39 Works
BIP-39 (Bitcoin Improvement Proposal 39) is the technical standard that defines the creation and usage of mnemonic seed phrases for generating deterministic wallets.
BIP-39 is a technical standard that describes the generation of a mnemonic code or seed phrase—a human-readable list of words—used to derive a deterministic wallet's master seed. The process begins with the creation of entropy, a random sequence of bits (typically 128 to 256 bits in length). This entropy is processed through a SHA-256 hash function to create a checksum, which is appended to the original entropy. The combined bit sequence is then divided into groups of 11 bits, each of which maps to a predefined word from a BIP-39 wordlist containing 2048 unique words, resulting in a 12, 15, 18, 21, or 24-word mnemonic sentence.
The mnemonic phrase alone is not a private key. To generate the actual cryptographic keys for a wallet, the phrase undergoes a key derivation process. Using the PBKDF2 function with HMAC-SHA512, the mnemonic sentence is combined with an optional passphrase (also called a 25th word) to produce a 512-bit seed. This seed is the root from which a Hierarchical Deterministic (HD) wallet, as defined by BIP-32, generates all its private keys, public keys, and addresses. The optional passphrase adds a crucial layer of security, creating a completely different seed from the same mnemonic words if the passphrase is changed.
A core component of BIP-39 is its standardized, carefully curated wordlists available in multiple languages. Each list contains 2048 words selected for distinctiveness—the first four letters of any word are unique within the list. This design minimizes errors during manual entry or recovery. The standard's widespread adoption beyond Bitcoin, by networks like Ethereum, Solana, and others, has made BIP-39 seed phrases the universal user-facing backup mechanism for non-custodial cryptocurrency wallets, effectively translating complex cryptographic secrets into a format that can be written down and stored securely.
key-features
BIP-39
Key Features
BIP-39 (Bitcoin Improvement Proposal 39) is the standard for generating human-readable mnemonic phrases, also known as seed phrases, from cryptographic entropy to create deterministic wallets.
01
Mnemonic Phrase Generation
BIP-39 defines the process for creating a mnemonic sentence from a source of entropy. The entropy (128 to 256 bits) is hashed using SHA-256, and a checksum is appended. This combined bit sequence is split into groups of 11 bits, each mapping to a predefined word from a 2048-word list. The result is a 12 to 24-word phrase that is easier to back up and transcribe than raw binary data.
02
Deterministic Seed Derivation
The mnemonic phrase is not directly used as a private key. Instead, it is processed with the PBKDF2 function using the phrase and an optional passphrase (also called a 25th word) as inputs. This generates a 512-bit seed, which is the root for a Hierarchical Deterministic (HD) wallet (BIP-32). This single seed can then derive an entire tree of private keys and addresses.
03
Standardized Word Lists
A key feature is its use of standardized word lists available in multiple languages (e.g., English, Japanese, Spanish). Each list contains 2048 carefully selected words where:
- The first four letters are unique.
- Words are chosen for clarity and to avoid confusion.
- This allows for reliable, cross-wallet compatibility and reduces transcription errors during recovery.
04
Checksum Validation
The standard includes a built-in error-checking mechanism. The SHA-256 hash of the initial entropy creates a checksum (first entropy_length/32 bits). During recovery, the process is reversed: words are converted back to bits, the checksum is verified, and any mismatch indicates an error in the mnemonic phrase. This helps users detect typos or incorrect word entry.
05
Passphrase for Extra Security
BIP-39 supports an optional user-supplied passphrase. This passphrase, combined with the mnemonic, creates a completely different seed. It acts as a second factor, creating a "hidden wallet." Crucially, there is no way to verify a passphrase is correct without generating addresses, making it resistant to brute-force attacks but also introducing risk of loss if forgotten.
06
Interoperability & Adoption
Despite being a Bitcoin BIP, BIP-39 has become the de facto standard for mnemonic generation across the cryptocurrency industry. It is implemented by thousands of wallets (e.g., Ledger, Trezor, MetaMask) and supports coins beyond Bitcoin (Ethereum, Solana, etc.). This widespread adoption ensures that a seed phrase from one compatible wallet can often recover assets in another.
visual-explainer
STANDARD
Visual Explainer: The BIP-39 Flow
A step-by-step breakdown of the BIP-39 standard for generating a human-readable mnemonic phrase and deriving a deterministic wallet seed.
BIP-39 (Bitcoin Improvement Proposal 39) is the technical standard that defines the process for creating a mnemonic phrase—a set of 12 to 24 common words—from a source of entropy, which is then used to generate a cryptographic seed for a hierarchical deterministic (HD) wallet. The flow begins with the generation of a random sequence of bits (entropy), typically 128 to 256 bits in length. This entropy is processed through a SHA-256 hash function to create a checksum, which is appended to the original entropy. The combined bits are then split into groups of 11 bits, each group mapping to a predefined word from the BIP-39 wordlist, resulting in the final mnemonic phrase.
The mnemonic phrase alone is not a wallet key. To derive the root seed for an HD wallet, the phrase undergoes the PBKDF2 key derivation function. The mnemonic is combined with an optional user-supplied passphrase (also called an extension word) in a process often referred to as 'mnemonic + passphrase = seed'. This process applies 2048 rounds of hashing using the HMAC-SHA512 algorithm. The output is a 512-bit master seed, which serves as the root for all private keys, public keys, and addresses in the HD wallet structure defined by BIP-32. This step is crucial as it adds an extra layer of security; a lost passphrase renders the seed unrecoverable even with the correct mnemonic.
The final 512-bit seed is the foundational input for BIP-32 hierarchical deterministic key derivation. This seed is fed into the HMAC-SHA512 function one more time to produce a master extended private key (xprv) and chain code. From this single root, an entire tree of keys can be deterministically generated, allowing for the creation of nearly unlimited addresses from one backup phrase. The BIP-39 flow elegantly bridges human memory and cryptographic rigor, transforming a memorable word list into a robust, deterministic cryptographic root. Its adoption across Bitcoin, Ethereum, and countless other blockchains has made it the de facto standard for wallet backup and recovery.
ecosystem-usage
BIP-39
Ecosystem Usage
BIP-39 (Bitcoin Improvement Proposal 39) is the de facto standard for generating human-readable mnemonic phrases, or seed phrases, used to derive deterministic wallets across the blockchain ecosystem.
01
Mnemonic Phrase Generation
BIP-39 defines the process for creating a mnemonic sentence from entropy. The process involves:
- Generating 128 to 256 bits of random entropy.
- Calculating a checksum and appending it to the entropy.
- Splitting the result into 11-bit segments, each mapping to a predefined word from a 2048-word list.
- The result is a 12, 15, 18, 21, or 24-word phrase that is easier to back up and transcribe than raw binary data.
02
Seed Derivation & HD Wallets
The mnemonic phrase is not the private key itself. Using the PBKDF2 function with the mnemonic and an optional passphrase, BIP-39 generates a 512-bit seed. This seed is then used as the root for a Hierarchical Deterministic (HD) wallet structure defined by BIP-32. From this single seed, an entire tree of key pairs can be deterministically generated, enabling the management of multiple accounts and addresses.
03
Standardized Word Lists
A core component of BIP-39 is its standardized, localized word lists. Each list contains 2048 carefully selected words where:
- The first four letters of each word are unique.
- Words are chosen to avoid confusion (e.g., 'cat' and 'bat').
- Lists exist for multiple languages (English, Japanese, Spanish, etc.), improving accessibility. This standardization ensures interoperability between different wallet software that implements the spec.
04
Wallet Interoperability
BIP-39's widespread adoption is its key feature. A seed phrase generated by a software wallet like MetaMask can be imported into a hardware wallet like a Ledger or Trezor, and vice-versa. This interoperability is crucial for user sovereignty, allowing recovery of assets if one wallet provider ceases operation. It has become the foundational backup standard for the entire multi-chain ecosystem.
05
Passphrase Extension (Optional)
BIP-39 supports an optional user-defined passphrase (sometimes called a "25th word").
- This passphrase is combined with the mnemonic during seed generation.
- It creates a completely different seed and wallet hierarchy, acting as a hidden wallet or a second factor of security.
- Crucially, there is no way to recover a forgotten passphrase—it is not stored anywhere and must be memorized.
06
Security Considerations
While BIP-39 enhances usability, its security depends on proper implementation and user practice:
- Entropy Source: The initial random number must be cryptographically secure.
- Phrase Storage: The mnemonic must be stored offline, away from digital cameras and cloud storage.
- Passphrase Risks: A weak passphrase undermines security; a lost one makes funds irrecoverable.
- Physical Security: The word list is public, so possession of the written phrase equals control of the assets.
security-considerations
BIP-39
Security Considerations
BIP-39 is a standard for generating a human-readable mnemonic phrase from entropy, which is then used to derive a deterministic wallet seed. While convenient, its security depends entirely on the secrecy and integrity of the mnemonic phrase.
01
Mnemonic Phrase Secrecy
The 12 or 24-word mnemonic phrase is the master key to all derived private keys. Its security is paramount.
- Never store digitally: Avoid photos, cloud storage, or plaintext files.
- Physical security: Use metal backup plates resistant to fire and water.
- Social engineering: Be wary of phishing sites or individuals asking for your phrase.
02
Entropy & Randomness
The strength of the mnemonic begins with high-quality entropy (randomness).
- Source: Must be generated by a cryptographically secure random number generator (CSPRNG).
- Weak entropy (e.g., user-chosen words) drastically reduces security, making wallets vulnerable to brute-force attacks.
- The checksum (the last word) verifies integrity but does not add significant cryptographic strength.
03
Passphrase (Optional 25th Word)
BIP-39 supports an optional passphrase, creating a hidden wallet.
- Key Fact: The passphrase is not stored in the mnemonic and is required during derivation.
- Security Benefit: Adds a second factor; knowing the mnemonic alone is insufficient.
- Critical Risk: If forgotten, all derived keys and funds are permanently inaccessible. There is no recovery mechanism.
04
Derivation Path Security
The mnemonic seed is used with a key derivation function (PBKDF2) and a derivation path (e.g., BIP-44) to generate keys.
- Isolation: Different paths for different coins/accounts improve compartmentalization.
- Vulnerability: A compromised seed compromises all keys derived from it, regardless of path.
- Implementation: Ensure your wallet uses standard, well-audited derivation libraries.
05
Physical Attack Vectors
The mnemonic's physical form is a target.
- Shoulder Surfing: Be aware of cameras or observers when writing or entering the phrase.
- Destruction: Paper backups are vulnerable to fire, water, and decay.
- Theft: A physical backup found is equivalent to losing all funds. Secure it like cash or a precious metal.
06
Verification & Recovery Testing
Properly verifying your backup is a critical security step.
- Dry-Run Recovery: After creating a wallet, wipe the device and restore using only the mnemonic and passphrase to confirm the process works.
- Verify Addresses: Ensure the restored wallet generates the same receiving addresses as the original.
- Never test with a wallet containing significant funds first; use a test wallet with minimal value.
KEY GENERATION STANDARDS
Comparison: BIP-39 vs. Other Key Formats
A technical comparison of mnemonic and non-mnemonic methods for generating and storing cryptographic keys.
| Feature | BIP-39 Mnemonic | Raw Private Key (Hex/WIF) | Hardware Wallet Seed |
|---|---|---|---|
Core Format | Human-readable word list (12-24 words) | 64-character hex string or Wallet Import Format | Proprietary binary/encrypted blob |
Human Memorability | |||
Checksum Validation | |||
Deterministic (HD) Wallet Support | |||
Standardization | Community BIP (Bitcoin Improvement Proposal) | De facto standard from Bitcoin core | Vendor-specific implementation |
Cross-Wallet Compatibility | |||
Typical Use Case | User backup and recovery | Direct key import, scripting | Secure element initialization |
Entropy Source | 128-256 bits | 256 bits | Hardware True RNG |
BIP-39
Common Misconceptions
Bitcoin Improvement Proposal 39 (BIP-39) defines a standard for generating mnemonic codes—human-readable seed phrases—used to derive deterministic wallets. Despite its widespread adoption, several persistent misunderstandings exist about its security properties and operational scope.
No, a BIP-39 seed phrase is not a private key; it is a human-readable mnemonic representation of the seed from which a hierarchy of private keys can be deterministically generated. The 12 or 24-word mnemonic, combined with an optional passphrase, is processed through the PBKDF2 function to create the master seed. This seed is then used as input for a key derivation function like BIP-32 to generate the master private key and all subsequent child keys for your wallet. The seed phrase is the root of your wallet's entire key hierarchy, not a single key itself.
BIP-39
Frequently Asked Questions (FAQ)
BIP-39 is the standard for generating human-readable mnemonic phrases from cryptographic seeds. These questions address its purpose, security, and practical use.
BIP-39 is a Bitcoin Improvement Proposal that defines a method for generating a mnemonic phrase (a list of easy-to-remember words) from a cryptographic seed, which is then used to derive deterministic wallets. It works by taking an entropy source (random data), generating a checksum, and encoding the combined data into a sequence of words from a predefined 2048-word list. The process ensures that the mnemonic phrase is a human-readable representation of the seed, which can be used to recover all associated private keys and addresses. This standard is widely adopted beyond Bitcoin for wallet recovery across many blockchain ecosystems.
ENQUIRY
Get In Touch
today.
Our experts will offer a free quote and a 30min call to discuss your project.
NDA Protected
Confidentiality24h Response
Time to ValueDirectly to Engineering Team
No Sales Fluff10+
Protocols Shipped
$20M+
TVL Overall