Is 12 or 24 words better for a Bitcoin seed phrase?

Both are cryptographically secure for protecting Bitcoin — 12 words gives 128 bits of entropy, 24 words gives 256 bits. Brute-forcing either is computationally impossible. 24 words is theoretically more future-proof against post-quantum attacks, but at the wallet layer this is not a practical concern today. The bigger trade-off is operational: 12 words is easier to write, verify, and back up; 24 words has more surface for transcription errors. Most modern wallets default to 24 (Trezor, Coldcard); some allow 12 (BlueWallet, older Ledger). For new users with an under-six-figure stack, 12 words is fine; for larger stacks where multiple physical backups exist, 24 is the marginal upgrade.

What is the best way to store a Bitcoin seed phrase?

Stamped or engraved steel in two geographically separated locations, never digital. Specifically: (1) write the seed on the card that came with the hardware wallet, verify on the device, then transfer to a steel backup like Cryptosteel Capsule, SeedPlate, Billfodl or Blockstream Jade Card; (2) store one copy at home in a fireproof safe and a second copy at a trusted second location (bank deposit box, family member's safe, hidden compartment in a different building); (3) do NOT photograph it, email it, store in iCloud/Google Drive, type it into any computer, or put it in a password manager.

What if I lose my Bitcoin seed phrase?

If you lose the seed phrase AND no longer have access to a working hardware wallet that contains the keys, your BTC is permanently lost — there is no recovery service, no customer support to call, no password reset. This is the fundamental trade-off of self-custody: you are the bank, and banks have a vault. Mitigate this by (a) testing your backup before funding the wallet with significant amounts, (b) keeping at least two physical copies in different locations, (c) verifying the backup is readable every 6-12 months.

Bitcoin seed phrase — backup that actually survives

By btclyzer · Updated May 29, 2026 · 14 min read

A Bitcoin seed phrase is twelve or twenty-four ordinary English words that encode the master secret of an entire wallet. Anyone who has the words has the bitcoin — and anyone who loses them loses the bitcoin. The phrase is generated once, by the device, and never touches a computer or phone again. It belongs on paper or steel, kept in at least two physical locations, never photographed, never typed into anything that didn't generate it, never shared with anyone claiming to be customer support. An optional passphrase (the "25th word") adds a second factor that defeats a stolen seed entirely — at the cost that losing the passphrase loses the funds. More Bitcoin has been permanently lost to forgotten and destroyed seeds than to every exchange hack and collapse combined; the entire job of a seed backup is to make sure your stack is not in that pile.

What a seed phrase actually is

Before BIP39, hardware-wallet backups were raw 256-bit binary numbers — fine for a cryptographer, useless for a human. In 2013 Marek Palatinus and Pavol Rusnak of SatoshiLabs, joined by Aaron Voisine and Sean Bowe, published Bitcoin Improvement Proposal 39, which specified a way to encode that random number as a sequence of common English words that a human could write down, read back without ambiguity, and recover from memory if needed. Every modern Bitcoin wallet — Ledger, Trezor, Coldcard, Sparrow, BlueWallet, Electrum, you name it — uses the same standard. A 12-word seed phrase written on a Ledger today can be loaded into a Trezor in ten years and recover the same wallet.

The encoding is deliberately constrained. The wordlist is a fixed list of 2048 English words chosen so no two share their first four letters (unambiguous on small device screens), no plurals or homophones, no embarrassing words. The words map one-to-one to 11-bit chunks of binary data. A few worked-out numbers make the mechanism concrete:

12-word seed 128 bits entropy + 4-bit checksum = 132 bits → 12 × 11-bit words

24-word seed 256 bits entropy + 8-bit checksum = 264 bits → 24 × 11-bit words

Words → seed phrase + optional passphrase → PBKDF2-HMAC-SHA512 (2048 iter) → 512-bit binary seed

Seed → wallet 512-bit seed → BIP32 HD derivation → every address, every key, forever

Two consequences fall out of this design that are worth internalising before you ever generate one.

The seed is the wallet. Not "the seed unlocks the wallet" — the seed is the wallet. From it the wallet software deterministically derives every Bitcoin address you have ever used, every private key that signs your transactions, every change address that hides your balance from chain analysts. There is no separate database to back up; there is no server somewhere that remembers your addresses. Lose the seed, lose access to every coin you ever received. Copy the seed onto another device, and that device controls the same wallet — including everything you receive in the future.

The checksum catches typos but is not security. A wallet entering recovery mode will reject "12 random words" with high probability — the last word encodes a checksum of the previous 128 bits, so an arbitrary phrase fails the check. This stops people loading garbage by mistake. It does not stop someone who guesses your seed: if the entropy was correctly random, guessing all 132 bits is computationally infeasible.

From a phrase to every Bitcoin address you own

A 12- or 24-word seed phrase is the human-readable encoding. What the wallet actually works with is the BIP32 hierarchical-deterministic (HD) master key, derived from the seed via PBKDF2 with 2048 rounds. From that one master key, the wallet builds an unbounded tree of child keys along standard derivation paths — one branch for "legacy" addresses (m/44'/0'/0'), one for SegWit (m/49'/0'/0'), one for native SegWit / bech32 (m/84'/0'/0'), one for Taproot (m/86'/0'/0'). Each branch generates address #0, address #1, address #2, and so on, deterministically.

This is why the same seed restores the same wallet on any compliant device, even years later, even after the original device has been destroyed. The seed is the only thing that matters. The device is just a tool that holds the seed and walks the derivation path on demand.

12 words vs 24 words — what the trade really is

Some wallets default to 12 words, some to 24. The debate is older than it should be. The numbers are:

12 words = 128 bits of entropy. The current upper bound for what humanity is plausibly capable of brute-forcing — even at theoretical limits of computation — sits below 100 bits. 128 bits is comfortably out of reach forever, against any classical computer ever built.
24 words = 256 bits of entropy. Twice the bits, redundant against current threats. The case for 24 words is post-quantum: if a sufficiently large quantum computer is one day built, Grover's algorithm provides a quadratic speed-up against symmetric primitives, effectively halving the security level. 128 bits drops to a notional 64 bits (uncomfortable); 256 bits drops to 128 bits (still safe).

For practical purposes today, 12 words is enough. The dominant risk in self-custody is not brute force — no one in human history has ever brute-forced a 128-bit BIP39 seed — it is operator error: losing the phrase, backing it up badly, photographing it, typing it into a phishing site, dying without telling anyone where it is. The choice between 12 and 24 changes none of those. If you are storing for decades, the small operational cost of 24 words buys you future-proofing against an attack that may or may not ever exist. If you are choosing whichever is the default, the default is fine.

The BIP39 passphrase — the "25th word"

The BIP39 spec defines an optional passphrase: an arbitrary string of any length, chosen by the user, mixed into the seed-derivation function alongside the words. Empty passphrase is the default — it produces the "standard" wallet. A non-empty passphrase produces a completely separate wallet from the same seed words. Mechanically, the passphrase is the salt parameter of the PBKDF2 derivation; mathematically, it shifts you to an entirely different branch of the keyspace.

Same 12 words + no passphrase = wallet A.
Same 12 words + passphrase "correct horse battery staple" = wallet B.
There is no way to tell, from the 12 words alone, that wallet B exists.

This is the strongest single mitigation against a stolen written seed. Even if an attacker finds the words on your steel plate, they can only access the "standard" wallet — which you can keep deliberately empty or lightly funded as a decoy. The real stack lives behind the passphrase, and the passphrase exists only in your head (or in another physical location, with its own backup).

The cost is exact and unforgiving. The passphrase has no checksum, no recovery, no support line. Misremember a single character and you derive a different wallet — empty, unrecoverable, indistinguishable from "the right wallet but with no funds in it". Most setups with a passphrase eventually need the passphrase itself backed up somewhere durable; the question becomes whether that backup lives somewhere safe from the same threats as the seed words.

A reasonable rule: use a passphrase if your threat model includes someone physically finding your seed (housebreak, family member, lost storage location). Skip it if you are likely to forget a passphrase before you are likely to lose physical control of the seed plate. For most users a single, well-stored seed without a passphrase is the right starting point; for users with larger stacks or worse physical-security situations, the passphrase is worth the discipline.

Where to write it — paper, laminated paper, or steel

The backup medium is where most preventable seed losses happen. The trade-off is between cost (a few dollars to a few hundred), durability (decades to centuries), and resistance to specific failure modes (water, fire, time, theft). The table below compares the realistic options.

	Paper	Laminated paper	Stamped steel plate	Capsule / washer stack
Typical cost	~$0	~$5	~$15–$95	~$50–$150
Fire resistance	~230°C (chars)	~230°C (chars)	~1400°C (stainless)	~1400°C (stainless)
Water resistance	Dissolves / ink runs	Surface only	Immune	Immune
Time / decay	Decades, fades	Decades	Centuries	Centuries
"Thrown out by accident" risk	High	High	Low (obviously valuable)	Low
Tamper visibility	Visible if you check	Visible if you check	Engraving permanent	Sealed capsule visible
Examples	Plain paper, wallet's recovery card	Self-laminated card	SeedPlate (~$15), Billfodl (~$95), Blockstream Jade Plate	Cryptosteel Capsule (~$70), various washer-stack designs

The dominant cost is your time and discipline, not the device itself. A $15 stainless plate plus an evening with a centre-punch is a better backup than a $95 capsule sitting unstamped in a drawer. For any meaningful stack the marginal cost difference between "paper" and "steel" is the cheapest insurance you will buy in the entire setup; spend it.

The six things you must never do with a seed

Almost every loss of a self-custodied stack — outside of complete seed destruction — traces back to one of the six mistakes below. Each looks innocent in isolation. Each has burned holders repeatedly. Treat them as bright-line rules, not soft preferences.

Never photograph the seed

A photo on a phone syncs to iCloud or Google Photos by default. It is OCR-indexable — modern phones extract text from images automatically for search. It survives every backup, every device transfer, every "deleted" gesture (most platforms keep deleted photos for 30+ days). And it can be exfiltrated by any app with media-library access. The exception list is empty: never photograph the seed, not "just for a second", not "I'll delete it after".

Never store the seed digitally

No text file. No note in iCloud, Google Keep or OneDrive. No password manager, even a "good" one — the seed is the master key to a self-sovereign system, and the moment another system can read it that other system becomes a single point of failure. The narrow exception is an explicitly air-gapped, encrypted backup on offline media (e.g. a printed paper-wallet-style QR on a permanently offline device), and even that is overkill versus a steel plate.

Never type the seed into a website

No website ever has a legitimate reason to ask for your seed. Not for "verification". Not for "support". Not for an "airdrop". Not for a "firmware update". Not for "migration". Every site that asks is a phishing site, full stop. Even legitimate wallets only accept the seed in their own installed software during initial recovery — and even that should be a hardware wallet entering the words on its own device, not on the connected computer.

Never share the seed with "customer support"

Ledger does not have your seed and never asks for it. Trezor does not have your seed and never asks for it. Coldcard, BlueWallet, Sparrow, Electrum — none of them, ever. Anyone in a DM, on Telegram, in a Discord, or in an "official" email asking you to type the seed phrase to "resolve an issue" is a scammer. The script has been the same since 2017 because it works on enough people to be worth running. Pre-commit now: you will never share your seed with anyone calling themselves support.

Never "just test it once" by typing it on a connected device

Recovery tests are useful — but the right way to test is on a clean, dedicated, factory-reset hardware wallet entering the words on its own buttons, not on a computer keyboard. The moment the seed touches a connected device's input — even briefly, even in a "trusted" wallet app — it has been exposed to every keylogger, screen-capture tool and clipboard monitor on that machine. The same goes for typing the seed into a wallet on a phone whose browser has eighty extensions installed.

Never store all copies in one location

One steel plate in your apartment defends against fire and water, but not against a burglary that takes the whole drawer, or a house fire that takes the whole apartment, or a flood that takes the whole street. At least two physical copies, in geographically separate locations, is the minimum that survives any single physical catastrophe. The catalogue of holders who lost their seeds in single-location accidents — house fires, floods, evictions, divorces, relocations — is large and unnecessary.

A backup that actually survives

Putting the constraints together yields a small number of viable patterns. Each balances physical-loss resistance against operator complexity. Pick the one that matches your stack size and willingness to manage the workflow.

Minimal

Single steel plate, two locations

Two identical stamped steel plates with the seed. One in your home safe or a bolted-down box. The second at a trusted relative's house, a bank safe-deposit box, or a second property. No passphrase. Suitable for most users below mid-five-figure USD stacks.

Recommended

Steel plate × 2 + passphrase

Same two-location seed plates, but with a BIP39 passphrase added. Passphrase memorised AND written down in a third location with its own protections (e.g. a separate sealed envelope at a different bank or with a different family member). Defeats a stolen seed plate entirely.

Large stack

Multi-signature, multiple devices

2-of-3 or 3-of-5 multi-signature wallet (Sparrow, Specter, Casa, Unchained) across two or three different hardware-wallet brands, geographically distributed. Each device has its own seed backup. No single seed compromise drains funds; no single seed loss locks them. Operationally more complex; right answer at six figures and up.

Inheritance-focused

Single seed + written instructions + executor

Single steel-plate backup plus a sealed letter with plain-English recovery instructions a non-technical heir can follow. Either stored with the seed (defeats some threats) or with a separate trusted executor (better). Optionally augmented by a professional inheritance service (Casa Inheritance, Nunchuk collaborative custody).

Notably absent from this list: "Shamir's Secret Sharing with seven shares scattered across five countries." Schemes like SLIP-39 (Trezor's Shamir implementation) are mathematically elegant — split a seed into N shares, any M of which reconstruct it — but in practice they multiply the operator surface. More shares means more places to lose them, more chances to mis-label which share is which, and a recovery workflow a non-technical heir is unlikely to manage. Useful for very large stacks and well-planned multi-location storage; risk-additive for most users.

Inheritance — the loss mode nobody plans for

Estimates of permanently lost Bitcoin range from roughly 3 to 4 million BTC — between 14 and 19 percent of the supply that will ever exist. The dominant cause is not theft, not exchange collapses, not forgotten passwords. It is owners who died, lost capacity, or moved house without leaving anyone the ability to find the seed. The seed plate sealed inside the wall of an apartment they no longer rented. The single copy in the drawer that the new tenant threw out. The encrypted file on the hard drive that nobody knew the password to.

The mitigations are practical and unromantic:

Write recovery instructions a non-technical heir could follow. Names the wallet software they should download, the website they should download it from, the order of words on the plate, where the passphrase is, what to expect when they enter it. Tested at least once by reading it back yourself as if you knew nothing.
Tell at least one trusted person the seed exists, and where. Not the words themselves — the existence of the backup and its general location. "There is a steel plate in the bottom drawer of the safe; the instructions for what to do with it are in the sealed envelope in the same drawer." That sentence, on the record, is the difference between recoverable and permanently lost.
Review the plan as the stack grows. A plan that made sense at $5,000 may be inadequate at $500,000. Re-read your own instructions once a year. Update locations as you move. Add or rotate executors as your trust map changes.
Consider a professional service above a certain threshold. Casa Inheritance, Unchained Loans, Nunchuk collaborative custody and similar offerings provide structured key recovery for heirs at a yearly fee. Not appropriate for everyone, but at sufficient stack size the additional cost is rounding error against the alternative — permanent loss.

The unromantic point

A seed phrase is not a password you can reset, a recovery email you can claim, or a customer-service number you can call. It is the only artefact in your entire financial life that has all three of these properties at once: it controls a non-trivial sum, it cannot be reissued if lost, and nobody can be subpoenaed into recovering it for you. Every other safeguard you have ever used — passwords, two-factor codes, security questions, debit cards, social-security numbers — has a recovery path through some institution. The seed has none.

That sounds like a bug. It is the feature the entire rest of Bitcoin is built on. The same property that makes the seed dangerous to lose — that nobody else can reissue it — is the property that makes it impossible for anyone else to seize the funds, freeze the wallet, reverse the transactions or compel the bank to hand them over. There is no bank. There is the seed.

Treat it accordingly.

Early access · limited spots

Become a tester — get PRO free for life

btclyzer is pre-launch. The first testers who try it and send honest feedback keep PRO for life — no card, no catch.

Backed up properly? Now read the market.

Self-custody removes the counterparty risk. It doesn't tell you what Bitcoin is doing right now. btclyzer gives you live BUY / SELL / HODL ratings across 1H / 4H / 1D / 1W / 1M timeframes — fused from RSI, MACD, EMA, Bollinger, Stoch RSI, Fear & Greed, CBBI and on-chain data. Free, no signup, no wallet connection — read-only by design.

Launch the dashboard →

FAQ

What is a Bitcoin seed phrase?

A Bitcoin seed phrase is a sequence of 12 or 24 ordinary English words that encodes the master secret of a wallet. It is specified by BIP39, a 2013 Bitcoin Improvement Proposal. The words are not arbitrary — they come from a fixed 2048-word list, and they encode a random number plus a checksum. From that one phrase a wallet can deterministically reconstruct every Bitcoin address, private key and signing key it has ever or will ever use. Anyone with the phrase has full control of the wallet.

Is 12 words secure enough, or do I need 24?

12 words gives 128 bits of entropy, which is already beyond brute-forceable on any conceivable hardware now or in the foreseeable future. 24 words gives 256 bits — twice the entropy, redundant against current threats but a margin that matters against future quantum attacks on the entropy itself. For most users 12 words is more than enough; for very long time horizons (decades) and very large balances, the small operational cost of 24 words is worth the future-proofing. Whichever length you choose, the dominant risk is operator error — losing the phrase or backing it up badly — not brute force.

What is the BIP39 passphrase (the "25th word")?

The BIP39 passphrase is an arbitrary extra string — not from any wordlist, chosen by the user — that is mixed into the seed-derivation function alongside the 12 or 24 words. Each unique passphrase produces a completely separate wallet from the same seed. An empty passphrase is the default and produces the "standard" wallet. A non-empty passphrase creates an entirely different wallet that someone finding only the seed words cannot access. It is the strongest single mitigation against a stolen written seed, but losing the passphrase loses the funds permanently — there is no recovery.

Why can't I just take a photo or store the seed in a password manager?

Every digital copy of the seed becomes an attack surface. A photo on a phone syncs to iCloud or Google Photos, is OCR-indexable, can be exposed by a forgotten old device, and can be exfiltrated by any malware with media-library access. A password manager database is encrypted with one password — if that password is ever phished, keylogged, or weak, the seed is gone. A text file is the worst option: trivially readable by any malware. The seed is the master key to a self-sovereign system; the moment any other system can read it, that other system becomes a single point of failure.

Paper or steel — does the medium really matter?

Paper is fine as a starting point and orders of magnitude better than any digital backup, but it has predictable failure modes: it burns at around 230°C, dissolves in water, fades, tears and gets thrown out by accident. A house fire reaches 800–1200°C and ruins paper completely. A stamped or laser-engraved steel backup (Cryptosteel Capsule, SeedPlate, Billfodl, etc.) survives those temperatures, is waterproof, won't degrade with time, and is hard to throw out by mistake. For any meaningful amount of BTC the additional $20–$100 cost of a steel backup is the cheapest insurance in the entire setup.

Should I split the seed into pieces using Shamir's Secret Sharing?

Shamir-style schemes like SLIP-39 (supported on Trezor) split a seed into N shares, of which any M (e.g. 3-of-5) can reconstruct it. The appeal: no single share leaks the seed, and you can survive losing some shares. The trade-off: more shares means more operator surface (more places to lose them, more chances to mis-label which is which) and the recovery workflow is more complex — a non-technical heir may find it harder to follow than a single seed plus passphrase. Useful for very large stacks and well-planned multi-location storage; overkill and risk-additive for most users.

What happens to my BTC if I die?

Unless someone you trust can find your seed and any passphrase, the BTC is permanently inaccessible. This is the largest single category of lost Bitcoin — estimates of permanently lost coins range from 3 to 4 million BTC, most of it due to forgotten or destroyed seeds rather than theft. The mitigations are practical: write instructions a non-technical heir can follow, store the seed and instructions where they will actually be found, consider a professional inheritance service (Casa Inheritance, Unchained Loans, Nunchuk's collaborative custody), and review the plan periodically as your stack grows.