Crypto Newbie / Simulators / BIP39 Seed

BIP39 Seed Entropy + Brute-Force Simulator

Your 12-word seed phrase guards every dollar of crypto you own. Whether that protection is iron-clad or trivially defeatable depends on entropy: 12 BIP39 words = 128 bits (uncrackable), 24 words = 256 bits (quantum-resistant for now), brain wallet with 6 memorable words = ~67 bits (cracked in HOURS). This simulator computes brute-force times against various attacker hardware so you can see exactly where the security cliff is.

Seed configuration

Seed typeStandard hardware wallet default

Attacker hardware

Hashing rate (per second)RTX 4090-class consumer GPU

Brute-force results

Total combinations

3.40e+38

Difficulty class

UNCRACKABLE — beyond all known computational means

Exhaustive search time

7.81e+10× universe age (uncomputable)

Avg time to find (50% probability)

3.91e+10× universe age (uncomputable)

Brain wallet attack

Common phrase dictionary size

1e+8

Dictionary attack time

100.00 seconds

⚠ Brain wallets with common phrases are crackable in MINUTES even with weak hardware. Multiple people have lost millions to this. NEVER use a passphrase you can remember as your only seed.

Why 12 words is enough (mostly)

12 BIP39 words = 128 bits of entropy = 2^128 ≈ 3.4 × 10^38 combinations. At 10^18 hashes/sec (a hypothetical nation-state rig 1000× more powerful than any known actor), exhaustively searching takes ~10^12 years — 100× longer than the universe has existed. Even the most extreme adversary can't brute-force a properly-generated 12-word seed. The threat is NOT brute force; it's: (1) seed compromise (you write it on a sticky note, someone photographs it), (2) bad RNG (your hardware wallet's seed generator has a flaw — happened with TREZOR firmware in 2018), (3) social engineering (phishing for the seed). 24 words gives 256-bit entropy — overkill against brute force but better protects against quantum attacks (Shor's algorithm halves effective security against quantum). For now, 12 is fine; 24 is for the paranoid.

Entropy is the only number that matters

Entropy measures the size of the keyspace an attacker must search. 128 bits = 2^128 ≈ 3.4 × 10^38 possible seeds. Even a nation-state with 10^18 hashes per second would take 10^12 years to exhaustively search — 100× the age of the universe. The actual threat to your seed is NOT brute force; it's leakage (photo of paper backup), bad random number generation (hardware wallet firmware bug), or social engineering (you typed the seed into a phishing site).

Why brain wallets fail

Brain wallets generate keys from a memorable passphrase. Sounds elegant — no paper backup, just memorise. The catastrophic flaw: HUMANS PICK MEMORABLE PHRASES. Common phrases (lyrics, Bible verses, famous quotes, easy passwords) have effective entropy around 30-60 bits — crackable in MINUTES to HOURS by anyone with a GPU and a wordlist. Multiple millionaires lost their entire holdings to brain wallet attacks (notable: $4M from a 'do not go gentle' Bitcoin wallet in 2014). Modern wisdom: NEVER use a brain wallet for anything you can't afford to lose.

12 vs 24 words — does it matter?

Practically: 12 is enough for everyone today. 24 protects against future quantum computers (Shor's algorithm halves effective security against ECDSA, so 128 bits → 64 effective bits which IS crackable). If you believe quantum computers will be production-ready in your lifetime (~30-50 years estimated), use 24. If you're skeptical, 12 is fine. Bitcoin Core defaults to 12. Trezor defaults to 24. Ledger lets you choose. The cost of 24 over 12 is harder backup management.

Real threats vs theoretical threats

Real losses come from: (1) phishing — someone tricks you into typing seed into a fake site. (2) Physical theft — someone finds your paper backup. (3) Bad RNG — your hardware wallet's seed was generated with a flawed random source (this happened to Ledger Nano S in 2020 with seed-extraction bug, fixed via firmware). (4) Social engineering — friend/family with seed access becomes adversarial. Brute-force attacks on properly-generated 12+ word seeds: ZERO documented cases. Spend your security worry on the threats that actually happen.

Frequently asked questions

+Should I add a passphrase (25th word) to my seed?

Yes if you can manage the complexity. A passphrase creates a 'second wallet' from the same 24 words — effectively requires both the seed AND the passphrase to access funds. Defends against finder-of-paper-backup but creates new failure mode: forget passphrase = lose funds. Best for medium-large holdings ($10k-1M) where the extra security justifies the complexity. For < $5k or > $10M, the passphrase trade-off changes (small amounts don't need it; massive amounts need multisig instead).

+Can someone guess my seed from just my public key?

No. Public-key cryptography is the foundation. From your public key, attackers cannot derive your private key (or seed) without solving the elliptic-curve discrete log problem — which is roughly equivalent to brute-forcing the seed. Both are computationally infeasible. The risks are in HOW you store/use the seed, not in the math of the key derivation itself.

+What if my hardware wallet uses bad RNG?

It's happened — multiple times. Ledger had a seed-extraction vulnerability in 2020. Trezor had a side-channel attack in 2018. Each time the manufacturer issued firmware updates. Mitigation: (1) Check your hardware wallet's audit history before purchase. (2) Run firmware updates promptly. (3) For very large holdings, derive seed from DICE rolls instead of trusting the device's RNG (BIP39 supports this — roll dice to generate entropy, plug into Coldcard's wallet). (4) Use multisig — single device compromise doesn't lose funds.

+Is a 12-word seed safe from quantum computers?

Today: yes. Future: probably no. ECDSA (Bitcoin's signature scheme) is broken by sufficiently large quantum computers via Shor's algorithm. Estimates for when production quantum computers can crack 256-bit ECDSA range from 2040 to never. Bitcoin will likely move to post-quantum signatures (likely some BLS or lattice-based scheme) before that happens. For today's funds: 12 words is safe; the threat is decades away.

+Can I increase my existing seed's strength after the fact?

Not really — your seed's entropy is fixed at generation. You can: (1) Move funds to a new wallet with a longer seed. (2) Add a passphrase (creates effective extra entropy IF the passphrase is strong + memorable). (3) Use multisig to require multiple signatures from different seeds. Each adds operational complexity. Picking the right entropy at wallet creation is the cheapest defense.