Lesson 2 — Entropy and seeds: where your keys really come from
A seed phrase isn't magic — it's a human-readable encoding of randomness. Today: where the randomness comes from, why 24 words is the practical ceiling, and why brain wallets keep getting drained.
Every modern non-custodial wallet starts the same way: it generates a random number, then encodes that number as a list of words. Everything else — every key, every address, every account — is derived from that one number. If the original randomness is bad, the wallet is bad. This lesson is about the part of self-custody that's invisible but matters most.
BIP-39, the standard that defines seed phrases, takes entropy — true random bits — and converts it into a list of words from a fixed 2048-word dictionary. 128 bits of entropy becomes 12 words. 256 bits of entropy becomes 24 words. (192 bits, giving 18 words, also exists but is rare.) The last word includes a checksum, which is why a single typo usually fails validation rather than silently producing a different wallet.
128 bits of entropy is already 2^128 possible seeds — a number with 39 digits. 256 bits is 2^256, a number with 78 digits. To put the second number in perspective: if every atom in the observable universe were a computer trying one seed per nanosecond since the Big Bang, the total attempts would not yet reach 2^256. Brute-forcing a properly-generated 24-word seed is not 'hard.' It is impossible under any physics we understand.
The catch is that the seed is only as random as the source that generated it. A wallet on a device with a weak random-number generator can produce predictable seeds, and there are documented cases (cheap Android wallets in the mid-2010s, browser extensions with bad RNG fallbacks) where this happened at scale. Reputable hardware wallets use multiple entropy sources — hardware RNG, user-input timing, secure-element randomness — combined together so that no single source's failure is catastrophic.
If you don't trust the device, you can generate entropy yourself with dice. A standard six-sided die produces about 2.58 bits per roll, so 99 rolls give you slightly more than 256 bits — enough for a 24-word BIP-39 seed. You convert dice rolls to entropy with a deterministic process (the Glacier Protocol documents this in detail), then feed the entropy to the wallet, which converts it to a mnemonic. This isn't paranoia for paranoia's sake — it's the only way to be confident the wallet's RNG didn't betray you.
Brain wallets — seeds generated from a passphrase you make up — are the opposite. Humans are not random. The most common passphrases (song lyrics, quotes, dictionary words combined) have been pre-computed by attackers. Brain-wallet drainers run continuously, hashing every plausible human phrase and instantly sweeping any address that has a balance. The phrase you 'just made up' is almost certainly in their list.
Validating a seed offline is straightforward: BIP-39's checksum means any 12 or 24 word combination has only a 1-in-16 (or 1-in-256) chance of being a valid mnemonic by accident. Open-source tools like Ian Coleman's mnemonic code converter (run offline, on an air-gapped machine) let you confirm the checksum without exposing the seed to the internet. This is most useful for verifying that a written-down seed actually matches what was generated.
Example
In 2017, researchers at WIRED and elsewhere documented brain-wallet sweepers running continuously against Ethereum addresses. The same phrases — 'satoshi nakamoto', song lyrics, Bible verses — would be drained within seconds of any funds appearing. The lesson generalises: human-chosen seeds aren't random. Random number generators with 256 bits of true entropy are. The whole point of letting the wallet generate the seed (or using dice if you don't trust the wallet) is to extract you from the loop entirely.
Common mistakes
- Believing that a 'memorable' seed is fine — every human-memorable phrase has been pre-hashed by attackers.
- Using a 12-word seed when a 24-word seed is available — the security cost is invisible in normal use, but doubles the entropy ceiling.
- Generating a seed on a phone or laptop with no secure-element RNG and assuming it's as random as a hardware wallet's seed.
- Writing down the seed without verifying it. The most common form of self-custody loss isn't theft — it's writing down 24 words wrong and not realising until the device fails.
- Putting trust in 'wallet-generator' websites. Anything generated in a browser tab is one cross-site script away from leaking the seed to the operator.
Check your understanding
Why is a BIP-39 seed generated from properly-sourced 256-bit entropy considered uncrackable by brute force?
Key terms covered
Sources & further reading
- PrimaryBIP-39 specification — Mnemonic code for generating deterministic keys
Canonical specification of the seed-phrase format used by nearly every modern wallet.
- PrimaryNIST SP 800-90A Rev. 1 — Recommendation for Random Number Generation
US standard for deterministic random bit generators.
- SecondaryGlacier Protocol — Dice entropy procedure
Open-source protocol documenting verifiable entropy generation with dice.
We prioritise primary sources. Where a topic moves quickly (regulation, security incidents), we re-check sources on the cadence shown by the page's "Next review" date.