User Rating 0.0
Total Usage 0 times
Category Security
Entropy: 160 bits | Checksum: 5 bits
Is this tool helpful?

Your feedback helps us improve.

About

A BIP39 mnemonic encodes cryptographic entropy into a human-readable sequence of words drawn from a fixed 2048-word list. The encoding is not arbitrary. Raw entropy of length ENT bits is hashed with SHA-256, and the first ENT32 bits of that hash form a checksum appended to the entropy. The combined bitstring is split into 11-bit segments, each indexing a word. Errors in transcription corrupt the checksum and are detectable. Losing a mnemonic means permanent, irrecoverable loss of all funds derived from it. There is no recovery service. There is no reset.

This tool generates entropy exclusively via the Web Crypto API (crypto.getRandomValues), which sources randomness from the operating system's CSPRNG. It never uses Math.random(). The mnemonic is computed entirely client-side and is never transmitted, logged, or persisted to storage. Validation mode verifies both wordlist membership and checksum integrity. Note: this tool implements BIP39 only. It does not derive HD wallet keys (BIP32/BIP44). For production wallet creation, verify the mnemonic on an air-gapped device.

bip39 mnemonic seed phrase cryptocurrency wallet entropy checksum bitcoin security

Formulas

The BIP39 mnemonic encoding process converts raw entropy into a word sequence with an embedded checksum.

CS = ENT32
MS = ENT + CS11

Where ENT = entropy length in bits (128, 160, 192, 224, or 256), CS = checksum length in bits (first CS bits of SHA-256(entropy)), and MS = mnemonic sentence length in words.

checksum = SHA-256(entropy)[0..CS]
bits = entropy checksum
wordi = wordlist[bits[i × 11 .. (i + 1) × 11]]

Where denotes bitstring concatenation and wordlist is the ordered BIP39 English word list of 2048 entries. Each 11-bit segment is interpreted as an unsigned integer index.

Reference Data

Word CountEntropy (bits)Checksum (bits)Total (bits)Security LevelPossible Combinations
121284132Standard21283.4 × 1038
151605165Enhanced21601.5 × 1048
181926198Strong21926.3 × 1057
212247231Very Strong22242.7 × 1067
242568264Maximum22561.2 × 1077
BIP39 Wordlist Properties
Total Words2048 (indexed 0 - 2047)
Unique PrefixFirst 4 characters uniquely identify each word
EncodingEach word encodes 11 bits (211 = 2048)
LanguagesEnglish, Japanese, Korean, Spanish, Chinese (Simplified/Traditional), French, Italian, Czech, Portuguese
Hash FunctionSHA-256 (FIPS 180-4)
StandardBIP39 (Bitcoin Improvement Proposal 39, 2013)
PassphraseOptional. Appended as salt during PBKDF2 seed derivation (not part of mnemonic encoding)
Seed DerivationPBKDF2-HMAC-SHA512, 2048 iterations, produces 512-bit seed

Frequently Asked Questions

The checksum scales with entropy to maintain a consistent error-detection rate. For 128-bit entropy, 4 checksum bits provide a 1-in-16 chance that a random modification passes validation. For 256-bit entropy, 8 checksum bits yield 1-in-256. This proportional scaling ensures that longer mnemonics (which are harder to manually verify) get stronger checksums. The ratio ENT/32 also guarantees the total bit count (ENT + CS) is always divisible by 11, producing a clean word count.
In theory, yes. If you know the position of the missing word, you must brute-force only 2048 candidates and validate each against the checksum. This is computationally trivial. If two words are unknown, you face 2048² ≈ 4.2 million candidates - still feasible. Beyond three unknown words, recovery becomes computationally expensive and may require specialized tools. The checksum helps filter invalid candidates, reducing search space by a factor of 2^CS.
No. Math.random() is a PRNG (Pseudo-Random Number Generator) seeded from a predictable state. Its output is deterministic and reproducible if the seed is known. In V8 (Chrome), it uses xorshift128+, which can be reverse-engineered from 2-3 observed outputs. For cryptographic key material, only a CSPRNG (Cryptographically Secure PRNG) is acceptable. In browsers, this is crypto.getRandomValues(), which draws from the OS entropy pool (/dev/urandom on Linux, CryptGenRandom on Windows).
The mnemonic is the human-readable encoding of entropy (12-24 words). The seed is a 512-bit value derived from the mnemonic via PBKDF2-HMAC-SHA512 with 2048 iterations, using the string "mnemonic" + optional passphrase as the salt. The seed is what HD wallets (BIP32) use to derive private keys. This tool generates and validates mnemonics only. Seed derivation is a separate, computationally heavier step not performed here.
Absolutely. The word order encodes the exact bit sequence of the entropy. Swapping two words changes the underlying binary data and produces a completely different seed and wallet. Additionally, a reordered mnemonic will almost certainly fail checksum validation. Treat the word sequence as a fixed, ordered array - not a set.
Any data written to digital storage (localStorage, files, clipboard history, screenshots) is vulnerable to malware, browser extensions, cross-site scripting, and forensic recovery from disk. BIP39 mnemonics are master keys - exposure of 12-24 words grants complete, irreversible access to all derived funds. Store mnemonics on paper or stamped metal, in physically secure locations. This tool deliberately never persists generated mnemonics.