About

A BIP39 mnemonic encodes cryptographic entropy into a human-readable sequence of words drawn from a fixed 2048-word list. The encoding is not arbitrary. Raw entropy of length ENT bits is hashed with SHA-256, and the first ENT32 bits of that hash form a checksum appended to the entropy. The combined bitstring is split into 11-bit segments, each indexing a word. Errors in transcription corrupt the checksum and are detectable. Losing a mnemonic means permanent, irrecoverable loss of all funds derived from it. There is no recovery service. There is no reset.

This tool generates entropy exclusively via the Web Crypto API (crypto.getRandomValues), which sources randomness from the operating system's CSPRNG. It never uses Math.random(). The mnemonic is computed entirely client-side and is never transmitted, logged, or persisted to storage. Validation mode verifies both wordlist membership and checksum integrity. Note: this tool implements BIP39 only. It does not derive HD wallet keys (BIP32/BIP44). For production wallet creation, verify the mnemonic on an air-gapped device.

Formulas

The BIP39 mnemonic encoding process converts raw entropy into a word sequence with an embedded checksum.

CS = ENT32

MS = ENT + CS11

Where ENT = entropy length in bits (128, 160, 192, 224, or 256), CS = checksum length in bits (first CS bits of SHA-256(entropy)), and MS = mnemonic sentence length in words.

checksum = SHA-256(entropy)[0..CS]

bits = entropy ‖ checksum

word_i = wordlist[bits[i × 11 .. (i + 1) × 11]]

Where ‖ denotes bitstring concatenation and wordlist is the ordered BIP39 English word list of 2048 entries. Each 11-bit segment is interpreted as an unsigned integer index.

Reference Data

Word Count	Entropy (bits)	Checksum (bits)	Total (bits)	Security Level	Possible Combinations
12	128	4	132	Standard	2¹²⁸ ≈ 3.4 × 10³⁸
15	160	5	165	Enhanced	2¹⁶⁰ ≈ 1.5 × 10⁴⁸
18	192	6	198	Strong	2¹⁹² ≈ 6.3 × 10⁵⁷
21	224	7	231	Very Strong	2²²⁴ ≈ 2.7 × 10⁶⁷
24	256	8	264	Maximum	2²⁵⁶ ≈ 1.2 × 10⁷⁷
BIP39 Wordlist Properties
Total Words	2048 (indexed 0 - 2047)
Unique Prefix	First 4 characters uniquely identify each word
Encoding	Each word encodes 11 bits (2¹¹ = 2048)
Languages	English, Japanese, Korean, Spanish, Chinese (Simplified/Traditional), French, Italian, Czech, Portuguese
Hash Function	SHA-256 (FIPS 180-4)
Standard	BIP39 (Bitcoin Improvement Proposal 39, 2013)
Passphrase	Optional. Appended as salt during PBKDF2 seed derivation (not part of mnemonic encoding)
Seed Derivation	PBKDF2-HMAC-SHA512, 2048 iterations, produces 512-bit seed

Frequently Asked Questions

The checksum scales with entropy to maintain a consistent error-detection rate. For 128-bit entropy, 4 checksum bits provide a 1-in-16 chance that a random modification passes validation. For 256-bit entropy, 8 checksum bits yield 1-in-256. This proportional scaling ensures that longer mnemonics (which are harder to manually verify) get stronger checksums. The ratio ENT/32 also guarantees the total bit count (ENT + CS) is always divisible by 11, producing a clean word count.

In theory, yes. If you know the position of the missing word, you must brute-force only 2048 candidates and validate each against the checksum. This is computationally trivial. If two words are unknown, you face 2048² ≈ 4.2 million candidates - still feasible. Beyond three unknown words, recovery becomes computationally expensive and may require specialized tools. The checksum helps filter invalid candidates, reducing search space by a factor of 2^CS.

No. Math.random() is a PRNG (Pseudo-Random Number Generator) seeded from a predictable state. Its output is deterministic and reproducible if the seed is known. In V8 (Chrome), it uses xorshift128+, which can be reverse-engineered from 2-3 observed outputs. For cryptographic key material, only a CSPRNG (Cryptographically Secure PRNG) is acceptable. In browsers, this is crypto.getRandomValues(), which draws from the OS entropy pool (/dev/urandom on Linux, CryptGenRandom on Windows).

The mnemonic is the human-readable encoding of entropy (12-24 words). The seed is a 512-bit value derived from the mnemonic via PBKDF2-HMAC-SHA512 with 2048 iterations, using the string "mnemonic" + optional passphrase as the salt. The seed is what HD wallets (BIP32) use to derive private keys. This tool generates and validates mnemonics only. Seed derivation is a separate, computationally heavier step not performed here.

Absolutely. The word order encodes the exact bit sequence of the entropy. Swapping two words changes the underlying binary data and produces a completely different seed and wallet. Additionally, a reordered mnemonic will almost certainly fail checksum validation. Treat the word sequence as a fixed, ordered array - not a set.

Any data written to digital storage (localStorage, files, clipboard history, screenshots) is vulnerable to malware, browser extensions, cross-site scripting, and forensic recovery from disk. BIP39 mnemonics are master keys - exposure of 12-24 words grants complete, irreversible access to all derived funds. Store mnemonics on paper or stamped metal, in physically secure locations. This tool deliberately never persists generated mnemonics.