What Is BIP39?
BIP39 (Bitcoin Improvement Proposal 39) is a standard that defines how to generate a mnemonic sentence — a sequence of ordinary English words — from cryptographic randomness. Originally designed for cryptocurrency wallets, BIP39 has become the de facto standard for human-readable seed phrases across the industry.
The core idea is elegant: instead of asking users to back up a 256-bit private key (a 64-character hex string like 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8), BIP39 converts that same entropy into something like:
abandon ability able about above absent absorb abstract absurd abuse access accident
Both representations contain the same information. One is impossible to remember; the other is merely difficult.
The 2048-Word List
BIP39 defines a carefully curated list of exactly 2048 English words. The number is not arbitrary — 2048 = 2^11, meaning each word encodes exactly 11 bits of entropy. This makes the math clean:
| Phrase Length | Entropy | Checksum | Total Bits |
|---|---|---|---|
| 12 words | 128 bits | 4 bits | 132 bits |
| 15 words | 160 bits | 5 bits | 165 bits |
| 18 words | 192 bits | 6 bits | 198 bits |
| 21 words | 224 bits | 7 bits | 231 bits |
| 24 words | 256 bits | 8 bits | 264 bits |
Word Selection Criteria
The BIP39 English wordlist was chosen with specific constraints:
- Minimum 4 characters per word
- First 4 characters uniquely identify each word — no two words share the same first 4 letters. “abst” can only mean “abstract”, “abso” can only mean “absorb”. You only need to type 4 characters to unambiguously select a word
- No similar-sounding words — reduces transcription errors
- Common vocabulary — words most English speakers know
- Sorted alphabetically — enables binary search and compression
There are 10 official BIP39 wordlists: English, Spanish, French, Italian, Portuguese, Czech, Japanese, Korean, Chinese (Simplified), and Chinese (Traditional). Each follows similar design constraints adapted for the language. The BIP39 maintainers no longer accept new language proposals — additional languages are directed to the separate WLIPS (Word List Improvement Proposals) repository.
Safe Pass Guru supports all 10 official languages in its passphrase generator.
How BIP39 Generation Works
Step 1: Generate Random Entropy
A cryptographically secure random number generator (CSPRNG) produces 128 to 256 bits of randomness. For a 12-word phrase, that’s 128 bits (16 bytes).
Step 2: Compute Checksum
A SHA-256 hash of the entropy is computed. The first entropy_bits / 32 bits of the hash become the checksum. For 128-bit entropy, that’s 4 bits of checksum.
Step 3: Combine and Split
The entropy and checksum bits are concatenated (128 + 4 = 132 bits) and split into groups of 11 bits. Each 11-bit group is an index (0–2047) into the wordlist.
Step 4: Map to Words
Each index maps to a word: index 0 = “abandon”, index 1 = “ability”, …, index 2047 = “zoo”.
The result is a 12-word mnemonic that encodes your 128-bit secret plus a checksum for error detection.
Security Analysis
Brute-Force Resistance
A 12-word BIP39 phrase has 128 bits of entropy. To put that in perspective:
- 2^128 ≈ 3.4 × 10^38 possible combinations
- At 1 trillion guesses per second, it would take 10^19 years to try them all
- The universe is approximately 1.38 × 10^10 years old
- You’d need about 724 million universe-lifetimes to brute-force a 12-word phrase
A 24-word phrase doubles the entropy to 256 bits, which is considered secure against quantum computers using Grover’s algorithm (which effectively halves the entropy, leaving 128 bits — still infeasible to crack).
The Checksum Matters
The built-in checksum means not every combination of 12 words is a valid BIP39 phrase. Only 1 in 16 random 12-word combinations will have a valid checksum. This helps detect typos when entering a seed phrase but does not significantly impact brute-force security (reducing the search space by a factor of 16 is negligible at 128-bit scale).
BIP39 Beyond Cryptocurrency
While BIP39 was designed for Bitcoin wallets, its wordlist has found broader applications:
- Password generators (like Safe Pass Guru) use BIP39 words for passphrase generation
- Backup codes for two-factor authentication
- Secret sharing schemes that split secrets into word-based shares
- Air-gapped communication where secrets need to be spoken aloud or written by hand
The wordlist’s design properties — unambiguous, memorable, error-resistant — make it suitable anywhere humans need to interact with cryptographic secrets.
BIP39 vs Diceware
Both BIP39 and Diceware generate passphrases from wordlists, but they differ:
| Feature | BIP39 | Diceware (EFF) |
|---|---|---|
| Words in list | 2048 | 7776 |
| Bits per word | 11 | 12.9 |
| Selection method | CSPRNG | Physical dice |
| Checksum | Yes (SHA-256) | No |
| Primary use | Crypto wallets | Passwords |
| Standardised | Yes (BIP) | Community standard |
For passphrase generation (non-crypto), both are excellent choices. BIP39’s slightly lower entropy per word (11 vs 12.9 bits) is offset by the checksum validation and broader tooling support.
Best Practices
- Never generate seed phrases on a compromised device — use a trusted, offline system
- Write it down on paper — digital copies can be hacked, paper cannot be remotely accessed
- Store in multiple secure locations — a single copy is a single point of failure
- Never share your seed phrase — no legitimate service will ever ask for it
- Test recovery before storing value — verify you can restore from the phrase before depending on it
- Use the full phrase — don’t try to shorten a 24-word phrase to save time
- Consider a metal backup — paper can be destroyed by fire or water; stamped metal survives both
Safe Pass Guru and BIP39
Safe Pass Guru uses the complete BIP39 English wordlist (2048 words) for its passphrase generator. While the generated passphrases are not intended as cryptocurrency seed phrases (they lack the BIP39 checksum), they benefit from the same carefully designed wordlist properties: unambiguous words, easy memorisation, and strong entropy per word.