ToolJutsu
All tools
Developer Tools

BIP-39 Generator

Generate BIP-39 mnemonic phrases for crypto wallet seeds.

Word count

128-bit entropy. 12 words is the most common; 24 is the maximum (~256 bits, equivalent to a 256-bit secret key).
Processed on your device. We never see your files.

How to use BIP-39 Generator

What is BIP-39?

BIP-39 — Bitcoin Improvement Proposal 39, authored by Marek Palatinus, Pavol Rusnak, Aaron Voisine and Sean Bowe in 2013 — defines how to turn a random number into a human-readable list of English words, and back. It is the standard behind every recovery phrase you’ve ever seen handed to you by a hardware wallet.

The motivation was practical: a wallet’s master secret is roughly 128 or 256 bits of entropy. Asking a human to write down 32 hexadecimal characters and transcribe them accurately is a recipe for lost funds — one transposed character and the wallet is gone. A list of common English words is dramatically more robust: distinguishable when written sloppily, recoverable from memory in a pinch, and built-in checksum-protected so a single typo is detectable.

How BIP-39 works

The process is deterministic and fully reversible:

  1. Generate entropy. Pull 128 to 256 bits of cryptographically random data from a CSPRNG. The amount determines the eventual word count: 128 bits → 12 words, 160 → 15, 192 → 18, 224 → 21, 256 → 24.
  2. Append a checksum. Take the SHA-256 hash of the entropy, keep the first entropy_bits / 32 bits, and append them. So 128 bits of entropy gets a 4-bit checksum, 256 bits gets 8.
  3. Split into 11-bit chunks. The combined entropy+checksum is divided into groups of 11 bits each — exactly enough to index into a 2048-word list (2¹¹ = 2048).
  4. Look up the words. Each 11-bit index selects one word from the official English BIP-39 wordlist — a carefully curated set where no two words share the same first four letters, so the first four characters of each word are sufficient to identify it uniquely.
  5. Derive the seed. When the wallet wants the actual master secret, it runs PBKDF2-HMAC-SHA512 with the mnemonic (joined by spaces) as the password, the literal string mnemonic plus the optional passphrase as the salt, and 2048 iterations. The output is a 512-bit seed.
  6. Derive keys. From that seed, BIP-32 builds a hierarchical tree of keys, and BIP-44 / BIP-49 / BIP-84 / BIP-86 paths specify which branch of the tree is used for which coin and address type.

The checksum step is what catches typos: change a single word, the SHA-256 check fails, the wallet refuses to import.

Common use cases

  • Generating a recovery phrase for a new wallet. The phrase IS the wallet — there is no other backup. Hardware wallets perform this step internally and never let the words touch a network; software wallets often do it on whatever device they run on.
  • Restoring a wallet on a new device. Type the words in order into the new wallet and every address, every key, every history is recovered.
  • Testing wallet integrations. Developers building wallet code need known-good mnemonics with predictable derived addresses to test against. Never use a mnemonic from a generator like this one for real value.
  • Seed-phrase recovery drills. Periodically verifying that you can actually restore from your backup before you need to.

How to use this BIP-39 generator

  1. Choose a word count — 12 (the common default), 15, 18, 21, or 24 (the conservative pick).
  2. Optional: enter a passphrase. Leave blank if you don’t have a clear, well-backed-up reason to use one. A forgotten passphrase is unrecoverable.
  3. Click Generate. The library is lazy-loaded on first use; subsequent generations are instant.
  4. Write the words down by hand, in order, on paper. Number them. Verify the transcription by reading them back.
  5. Click Show seed if you want to inspect the 512-bit seed the mnemonic + passphrase derives to. This is the value BIP-32 uses as the master key input.

Security considerations

  • The mnemonic is the wallet. Anyone who reads those words controls every coin the wallet holds. Treat them as more sensitive than any password.
  • Never type a mnemonic into an untrusted device. That includes other people’s computers, public terminals, hotel business centres, and any machine that has installed software from sources you don’t trust. Hardware wallets exist precisely to keep the mnemonic off general-purpose computers.
  • Never photograph or store it digitally. No iCloud, no Google Drive, no password manager, no encrypted note in your phone, no email-to-self. The history of seed loss is full of these.
  • Paper, ideally on metal, ideally in two locations. Steel plates survive house fires that paper does not. Two locations protect against single-site disasters.
  • Test the backup. Before sending real funds, verify you can restore from the written phrase by importing into a second wallet and confirming you see the same addresses.
  • For real value, generate on a hardware wallet. This tool is a learning and testing utility; production seeds should come from a device whose only job is to keep secrets off the internet.

Privacy

Generation runs entirely in your browser using crypto.getRandomValues for entropy and the @scure/bip39 library (lazy-loaded) for word mapping and checksumming. There is no upload, no logging, no analytics. After page load no further network requests are made — you can verify in the Network tab, or disconnect from the network and the tool continues to work.

Compatibility notes

The output is bit-for-bit standard BIP-39 using the official English wordlist (2048 words, SHA-256 of the file is well-known and matches the reference). Mnemonics generated here import cleanly into every BIP-39-compliant wallet — Ledger, Trezor, Coldcard, Electrum, Sparrow, BlueWallet, MetaMask, Trust Wallet, Phantom, Keplr and so on. The optional passphrase follows BIP-39 §8 exactly: appended to the literal string mnemonic and used as the PBKDF2 salt, 2048 iterations of HMAC-SHA-512. Other-language wordlists are defined in the spec but rarely supported by wallets in the wild; this tool uses English only.

Frequently asked questions

How many words should I choose?
The word count maps directly to entropy: 12 words = 128 bits, 15 words = 160 bits, 18 words = 192 bits, 21 words = 224 bits, 24 words = 256 bits. 128 bits is already well beyond brute-force reach — there is no known attack against a properly generated 12-word seed. 12 words is what most hardware wallets default to and is appropriate for everyday use. 24 words is the conservative pick when you want generous safety margin against future cryptanalytic advances or post-quantum concerns, and is the default for Bitcoin Core and Ledger devices in higher-security modes. Practically, the difference between 128-bit and 256-bit seed security is academic; the backup story (paper, metal, geographic distribution) matters orders of magnitude more than the word count.
Should I add a BIP-39 passphrase ('25th word')?
A passphrase is a powerful but unforgiving feature defined in BIP-39 §8. It is mixed into the PBKDF2 derivation alongside the mnemonic, so the same 12 or 24 words produce a completely different wallet depending on whether (and which) passphrase is set. This gives you plausible deniability (a duress wallet with no passphrase, a real wallet behind a passphrase) and protects you if your seed phrase is physically stolen but the passphrase is only in your head. The trap: a forgotten passphrase loses the wallet permanently, with no recovery path. There is no 'forgot passphrase' link. If you use one, back it up separately from the seed words and never in the same location. For most users, no passphrase is the safer default.
How do I back up a seed phrase?
Paper, written by hand, stored offline. That is the canonical and still-best answer. Steel-plate seed-storage products (Cryptosteel, Billfodl, Trezor Keep) are the next step up — they survive house fires and floods that paper does not. Common rules: never type the seed into any computer, never photograph it, never store it in cloud storage or a password manager that syncs, never email it to yourself. For higher-value holdings, split the words across two or three geographically separated locations using a method like SLIP-39 or simple sharding so no single break-in compromises the whole seed. The threat to consider isn't only theft — it is loss (lost paper, illness, death of the keyholder). Plan for both.
Which wallets accept this format?
BIP-39 is a near-universal standard. Mnemonics generated here are accepted by every modern hardware wallet (Ledger, Trezor, Coldcard, BitBox, Jade), every major software wallet (Electrum, BlueWallet, Sparrow, Wasabi, Bitcoin Core via descriptors, MetaMask, Phantom, Keplr, Trust Wallet, Exodus), and any wallet built on the standard Bitcoin / Ethereum library stack. The mnemonic alone determines the seed; the wallet then derives addresses via BIP-32 / BIP-44 / BIP-84 / BIP-86 paths depending on the coin and address type. If you generate a 24-word phrase here and import it into Trezor Suite, you will see the same addresses you would in Electrum or Sparrow.
Is the mnemonic ever transmitted?
No, and this matters more here than for any other tool on this site. The mnemonic is generated locally by crypto.getRandomValues and the @scure/bip39 library (lazy-loaded on first generate). There is no network request during generation, no analytics on the words you produce, no server-side storage. You can verify in the Network tab, or pull the cable after the page loads. That said: even a perfectly local tool is only as safe as the device you run it on. A malware-infected laptop or a browser extension with permission to read page content could exfiltrate the words regardless. For seed phrases protecting real value, generate them on a dedicated offline hardware wallet and treat this tool as a learning, testing or recovery-drill utility.

Related tools

Password Generator

Generate strong, configurable passwords.

Passphrase Generator

Generate memorable passphrases from a curated word list.

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes.

UUID Generator

Generate v1 and v4 UUIDs in bulk.

Random Token Generator

Generate secure random tokens — alphanumeric, hex, base64url or URL-safe.

HMAC Generator

Generate HMAC signatures with the Web Crypto API.