What Is a 24-Word Recovery Phrase?
A 24-word recovery phrase — also called a mnemonic phrase or seed phrase — is the master backup for a Bitcoin wallet. It consists of 24 ordinary English words drawn from a standardized list of 2,048 words defined by the BIP39 specification. These words encode the cryptographic seed from which every private key in your wallet is derived. Lose access to your hardware wallet, and these 24 words are your path to full recovery. Lose the words themselves, and your bitcoin may be gone permanently.
The recovery phrase is not a password you choose. It is generated through a precise cryptographic process that produces genuine randomness, and every word matters — including the order they appear in. Understanding exactly how this works, and how to protect it, is foundational to self-custody security.
How BIP39 Generates a 24-Word Phrase
The process behind your 24-word phrase follows the BIP39 standard (Bitcoin Improvement Proposal 39), published in 2013. Here is exactly what happens inside your hardware wallet when it generates a new seed phrase:
Step 1 — Entropy generation. The wallet’s random number generator produces 256 bits of entropy. This is raw randomness — a string of 256 ones and zeros. The quality of this entropy is critical. A flawed random number generator means a predictable seed phrase, which is why reputable hardware wallets use dedicated true random number generators (TRNGs) built into their secure elements.
Step 2 — Checksum calculation. The wallet computes a SHA-256 hash of the 256-bit entropy. The first 8 bits of this hash become the checksum. This checksum is appended to the original entropy, producing a total of 264 bits.
Step 3 — Splitting into groups. The 264-bit string is divided into 24 groups of 11 bits each. Each 11-bit group represents a number between 0 and 2,047.
Step 4 — Word mapping. Each number maps to a specific word in the BIP39 word list. The English word list contains exactly 2,048 words, chosen to be unambiguous (no two words share the same first four letters). The result: 24 words in a fixed order.
The checksum in the final word means that random collections of 24 words from the list will almost never form a valid seed phrase. This provides basic error detection — if you make a transcription mistake, wallet software can flag it immediately.
12-Word vs 24-Word Phrases: Security Comparison
Not all seed phrases are 24 words. Many wallets default to 12-word phrases. The difference comes down to the amount of initial entropy:
| Feature | 12-Word Phrase | 24-Word Phrase |
|---|---|---|
| Entropy | 128 bits | 256 bits |
| Checksum bits | 4 bits | 8 bits |
| Total bits encoded | 132 bits | 264 bits |
| Possible combinations | 2128 (~3.4 x 1038) | 2256 (~1.16 x 1077) |
| Brute-force resistance | Computationally infeasible today | Computationally infeasible even against quantum computers (Grover’s algorithm halves the effective bits to 128) |
| Transcription effort | Lower — 12 words to record | Higher — 24 words to record |
| Error detection | 4-bit checksum (weaker) | 8-bit checksum (stronger) |
A 12-word phrase with 128 bits of entropy is already beyond any brute-force attack using classical computers. However, 24 words provide a margin against future advances. Grover’s algorithm on a sufficiently powerful quantum computer could effectively reduce 128-bit security to 64-bit security — which would be breakable. A 256-bit seed reduced to 128 effective bits remains safe. For long-term cold storage of significant amounts, 24 words is the conservative choice.
From Seed Phrase to Private Keys: BIP32 and BIP44 Derivation
Your 24 words are not your private keys. They are a human-readable encoding of the seed from which private keys are derived. The derivation process follows BIP32 (Hierarchical Deterministic wallets) and BIP44 (multi-account structure).
First, BIP39 converts your mnemonic words into a 512-bit seed using PBKDF2-HMAC-SHA512 with 2,048 rounds of hashing. If you use an optional passphrase (sometimes called the “25th word”), it is mixed in at this stage, producing a completely different seed from the same 24 words. This is detailed in our guide on wallet passphrases and recovery.
The 512-bit seed is then fed into HMAC-SHA512 to produce a master private key and a master chain code. From there, a tree of child keys is derived using the hierarchical deterministic wallet mathematics defined in BIP32. Each branch of this tree can generate billions of unique Bitcoin addresses, all recoverable from the same 24-word backup.
BIP44 adds structure to this tree with a standardized derivation path: m/44'/0'/0'/0/0 for the first Bitcoin address. The path encodes the coin type, account number, and address index. This structure is what allows a single seed phrase to manage multiple cryptocurrencies, multiple accounts, and unlimited addresses — all deterministically.
Security Best Practices for Your Recovery Phrase
Your 24-word recovery phrase is the single point of failure for your entire Bitcoin holdings. Every security decision you make about it matters.
Physical Storage Is Non-Negotiable
Write your seed phrase on paper or stamp it into metal. Never store it digitally — not in a text file, not in a password manager, not in an encrypted note on your phone. Digital storage exposes your seed to malware, cloud breaches, and device compromise. A metal backup resists fire and water damage that would destroy paper. For a detailed comparison of metal storage solutions, read our seed phrase storage best practices guide.
Location and Redundancy
Store your backup in a secure location: a home safe, a bank safety deposit box, or another place with controlled access. Consider creating a second backup stored at a geographically separate location to protect against localized disasters. However, every additional copy increases the attack surface — someone finding any copy gains full access to your funds.
Never Share Your Seed Phrase
No legitimate service, wallet manufacturer, or support representative will ever ask for your seed phrase. Anyone who asks for it is attempting to steal your bitcoin. This applies to phone calls, emails, social media messages, and in-person requests without exception.
Consider a Passphrase for Additional Protection
Adding a passphrase (the so-called 25th word) creates an entirely separate set of wallets derived from the same 24 words. Even if someone finds your seed phrase backup, they cannot access funds protected by the passphrase. The trade-off: if you forget the passphrase, those funds are unrecoverable. This is a powerful tool, but it requires its own careful backup strategy.
Common Mistakes That Compromise Recovery Phrases
These are the errors that lead to real-world bitcoin losses:
Taking a screenshot or photo. Your phone syncs images to iCloud or Google Photos automatically. A seed phrase photo sitting in cloud storage is exposed to every breach that hits that cloud provider, plus anyone who gains access to your account.
Typing it into a computer. Keyloggers, clipboard hijackers, and screen-capture malware exist specifically to capture cryptocurrency credentials. The moment your seed phrase touches a general-purpose operating system, it is potentially compromised.
Storing it in email or messaging apps. Sending your seed phrase to yourself “for safekeeping” puts it on email servers, potentially in plaintext, subject to subpoenas, breaches, and unauthorized access.
Splitting the phrase incorrectly. Some people split their 24 words into two groups of 12, storing each half separately. This is weaker than it appears — an attacker with 12 of your 24 words only needs to brute-force the remaining 12 words, which while still extremely difficult, is exponentially easier than brute-forcing all 24. Shamir’s Secret Sharing (SLIP39) is a more robust splitting approach.
Using a brain wallet. Attempting to memorize 24 words without a physical backup is a gamble against your own memory, health, and mortality. Always maintain a written backup.
How to Verify Your Backup Works
Writing down 24 words means nothing if you copied them wrong. Verification is a necessary step:
Method 1 — Wallet re-derivation check. After generating your seed phrase and writing it down, reset the wallet and recover from your written backup. If the wallet restores with the same addresses and balances, your backup is correct. Do this before sending any significant funds to the wallet.
Method 2 — Checksum validation. Some tools (including the Ian Coleman BIP39 tool, run offline on an air-gapped machine) can verify that your 24 words form a valid BIP39 mnemonic. If you have a transcription error, the checksum will fail. Never enter your real seed phrase into any online tool.
Method 3 — Dry-run recovery. Periodically test your backup by recovering the wallet on a separate device. This confirms that your backup is intact, readable, and produces the expected accounts. For guidance on the broader security architecture around wallet recovery, see our piece on cold storage and risk management.
What Happens If You Lose Words
Losing one or two words from a 24-word phrase is not necessarily catastrophic, but recovery becomes a computational challenge. Since each word encodes 11 bits of information, a single missing word means 2,048 possible combinations to try. Specialized recovery services and open-source tools (like BTCRecover) can brute-force one or two missing words in a reasonable time. Three missing words means roughly 8.6 billion combinations — still feasible with modern hardware, but slow. Four or more missing words pushes recovery into impractical territory without significant computing resources.
If words are present but their order is scrambled, the problem grows factorial. Reordering 24 words has 24! (about 6.2 x 1023) permutations — far beyond brute-force capability. This is why recording the words in the exact order matters.
For those storing significant value in Bitcoin, the risk of seed phrase loss underscores the case for multisignature setups, where no single seed phrase is a single point of failure. Our guide on transitioning from single-sig to multisig covers this approach.
Seed Phrases Explained: BIP39 from the
Bitcoin Wallets & Self-Custody course.
Frequently Asked Questions
Can someone guess my 24-word recovery phrase?
No. A 24-word BIP39 phrase encodes 256 bits of entropy. The number of possible valid phrases is approximately 2256, which is roughly 1.16 x 1077. To put that in perspective, the estimated number of atoms in the observable universe is around 1080. Even if every computer on Earth dedicated all processing power to guessing your phrase, the expected time to find it would exceed the age of the universe by many orders of magnitude. The seed phrase is unguessable assuming it was generated by a proper random number generator.
Is a 12-word phrase secure enough?
For most practical purposes today, yes. A 12-word phrase provides 128 bits of entropy, which is considered secure against all known classical attacks. However, the theoretical threat of quantum computing (specifically Grover’s algorithm) could reduce the effective security to 64 bits in the distant future. A 24-word phrase provides a safety margin against this scenario, reducing to 128 effective bits under quantum attack. If you are planning long-term cold storage measured in decades, 24 words is the more conservative choice.
What is the difference between a seed phrase and a private key?
A seed phrase is a human-readable representation of the master seed, from which an entire tree of private keys is derived using BIP32 hierarchical deterministic derivation. A private key is a single 256-bit number that controls a single Bitcoin address. One seed phrase can generate billions of private keys. Backing up the seed phrase backs up all current and future keys derived from it. This relationship is explored in depth in our wallet architecture overview.
Can I change my recovery phrase?
You cannot modify an existing recovery phrase. The phrase is a deterministic encoding of the entropy generated at wallet creation. To get a new phrase, you must create a new wallet, which generates new entropy and a new set of 24 words. You would then need to transfer all funds from the old wallet to addresses derived from the new seed phrase. The old phrase remains valid and would still recover the old (now empty) wallet.
Should I store my recovery phrase in a bank safety deposit box?
A bank safety deposit box provides physical security against theft and home disasters, making it a reasonable storage location for a seed phrase backup. However, there are trade-offs to consider. You lose immediate access — banks have operating hours, and boxes can be sealed during legal proceedings. The bank itself does not know or have access to your phrase’s contents, but employees could theoretically observe you accessing it. For high-value holdings, combining a safety deposit box with additional strategies like inheritance planning and geographic distribution of backups provides stronger protection than any single storage method.
For a broader perspective, explore our Bitcoin seed phrase security guide.
{“@context”: “https://schema.org”, “@type”: “FAQPage”, “mainEntity”: [{“@type”: “Question”, “name”: “Can someone guess my 24-word recovery phrase?”, “acceptedAnswer”: {“@type”: “Answer”, “text”: “No. A 24-word BIP39 phrase encodes 256 bits of entropy. The number of possible valid phrases is approximately 2256, which is roughly 1.16 x 1077. To put that in perspective, the estimated number of atoms in the observable universe is around 1080. Even if every computer on Earth dedicated all processing power to guessing your phrase, the expected time to find it would exceed the age of the universe by many orders of magnitude. The seed phrase is unguessable assuming it was generated by a prope…”}}, {“@type”: “Question”, “name”: “Is a 12-word phrase secure enough?”, “acceptedAnswer”: {“@type”: “Answer”, “text”: “For most practical purposes today, yes. A 12-word phrase provides 128 bits of entropy, which is considered secure against all known classical attacks. However, the theoretical threat of quantum computing (specifically Grover’s algorithm) could reduce the effective security to 64 bits in the distant future. A 24-word phrase provides a safety margin against this scenario, reducing to 128 effective bits under quantum attack. If you are planning long-term cold storage measured in decades, 24 word…”}}, {“@type”: “Question”, “name”: “What is the difference between a seed phrase and a private key?”, “acceptedAnswer”: {“@type”: “Answer”, “text”: “A seed phrase is a human-readable representation of the master seed, from which an entire tree of private keys is derived using BIP32 hierarchical deterministic derivation. A private key is a single 256-bit number that controls a single Bitcoin address. One seed phrase can generate billions of private keys. Backing up the seed phrase backs up all current and future keys derived from it. This relationship is explored in depth in our wallet architecture overview.”}}, {“@type”: “Question”, “name”: “Can I change my recovery phrase?”, “acceptedAnswer”: {“@type”: “Answer”, “text”: “You cannot modify an existing recovery phrase. The phrase is a deterministic encoding of the entropy generated at wallet creation. To get a new phrase, you must create a new wallet, which generates new entropy and a new set of 24 words. You would then need to transfer all funds from the old wallet to addresses derived from the new seed phrase. The old phrase remains valid and would still recover the old (now empty) wallet.”}}, {“@type”: “Question”, “name”: “Should I store my recovery phrase in a bank safety deposit box?”, “acceptedAnswer”: {“@type”: “Answer”, “text”: “A bank safety deposit box provides physical security against theft and home disasters, making it a reasonable storage location for a seed phrase backup. However, there are trade-offs to consider. You lose immediate access — banks have operating hours, and boxes can be sealed during legal proceedings. The bank itself does not know or have access to your phrase’s contents, but employees could theoretically observe you accessing it. For high-value holdings, combining a safety deposit box with ad…”}}]}
