The 12 or 24 words on the back of your hardware wallet are the wallet. The plastic device on your desk is just a calculator that knows how to use them. If you understand only one thing about self-custody, understand that — and then understand what that means for how you store, verify, and protect those words.
This is the article I wish someone had handed me in 2017 when I bought my first hardware wallet, glanced at the seed card, and put it in a drawer. Six years and a thousand near-misses later, this is what I actually know.
TL;DR. The 12 / 24 words are entropy + a checksum byte, deterministically mapped through a list of 2,048 dictionary words. They generate every Bitcoin address and private key your wallet will ever use. They live nowhere except wherever you wrote them down. Storing them well means defending against four threat classes: fire / water / loss (physical), theft (someone in your house), coercion (someone holding a wrench), and stupidity (you, in five years, having forgotten what the metal plate in the drawer is). Each of those threats has a different mitigation, and the optimal solution for one is usually wrong for another.
What the words actually are
BIP-39 is a Bitcoin Improvement Proposal from 2013 that defines how to convert a wallet’s underlying entropy into a memorable list of English (or other-language) words.
The mechanics, briefly:
- The wallet’s hardware random-number generator produces 128 bits (for a 12-word phrase) or 256 bits (for 24 words) of entropy. This step is the only step where physical randomness has to be good — the rest is deterministic.
- A SHA-256 hash of those bits is taken. The first 4 bits (12-word) or 8 bits (24-word) of the hash are appended as a checksum. So a 12-word phrase encodes 128 bits of entropy + 4 bits of checksum = 132 bits total.
- The 132 / 264 bits are split into 11-bit groups. Each 11-bit value (0-2047) maps to a word in the BIP-39 wordlist of exactly 2,048 words.
- Done. The string of words IS the entropy + checksum, in a more memorable form.
To turn the words back into actual Bitcoin keys, the BIP-39 phrase is fed through PBKDF2 with HMAC-SHA512, 2,048 iterations, with the optional passphrase as salt. The output is the master seed — 512 bits of cryptographically derived material that the BIP-32 hierarchical deterministic (HD) wallet algorithm then uses to generate every address you’ll ever see.
Three corollaries to remember:
- The same 12/24 words always generate the same wallet, on any BIP-39-compliant device. Coldcard, Trezor, Ledger, Sparrow, Electrum — they’ll all derive identical addresses from identical words. This is a feature: you can recover from any vendor’s failure by typing the words into a different vendor’s device.
- A passphrase (“25th word”) is technically a salt, not a 25th word. It changes the master seed entirely, producing a different wallet. We’ll come back to this — it’s both powerful and dangerous.
- The checksum byte means random word combinations almost certainly won’t validate. That’s why the BIP-39 validator on this site can tell you whether a phrase you wrote down is mathematically self-consistent. If you swapped two letters in word 7, the checksum almost certainly fails — which is exactly how you find out.
Where the words actually live
This is the question Ledger / Trezor / Coinkite are constantly being phished for: “send us your seed for verification.” Every legitimate vendor has the same answer:
The seed exists nowhere except where you wrote it down. The vendor doesn’t have it. The vendor doesn’t want it. The vendor cannot recover it for you. Nobody can.
Inside the device, the seed never leaves the secure element after generation. When you sign a transaction, the device uses the seed to derive the relevant private key, signs the transaction, and returns the signature. The seed itself never crosses the USB cable, never crosses Bluetooth, never crosses the air gap. (This is what makes a hardware wallet a hardware wallet.)
When you wipe the device, the seed is gone from the device. If you didn’t write it down, and the device is wiped, the wallet is gone forever. There is no recovery. There is no “I lost my password” link. There is no support number to call.
This is the asymmetry of self-custody: you have all the power, and you have all the responsibility. Both at once.
The four threat classes
I’ve watched friends lose Bitcoin to all four of these. Different storage strategies map to different threats — the optimal answer depends on which you’re optimising against.
Threat 1 — fire / water / loss (physical degradation)
The ink on a paper seed card runs in a flooded basement. The card itself burns in a house fire. You move three times in a decade and one of the moves loses a box. Statistically, this is the most common way self-custodians lose their coins.
Mitigation ladder:
- Paper, single copy → fragile, do not stop here
- Paper, multiple copies in different places → better, but multiplies your theft surface
- Steel plate (Cryptosteel, Blockmit, Coldti, etc.) → fire-proof to ~1100°C, water-proof, immune to flooding. Default recommendation for most people.
- Multiple steel plates in different geographic locations → real redundancy, but coordinated against burglary harder
The cost of a steel plate is $20-100. The expected value of not having one if you have any meaningful holding is staggeringly negative. This is the single highest-ROI security upgrade in self-custody. Buy it the same week you set up the wallet.
Threat 2 — theft (someone in your house)
A house guest finds your seed card in a drawer. A burglar finds it during a break-in. A roommate’s friend’s friend hears about your Bitcoin and goes looking. A family member rifling through the safe.
Mitigation ladder:
- Hidden in your house → relies on hider being smarter than seeker. Bad assumption.
- Hidden in someone else’s house (parents, friend) → moves the threat. Now relies on their hiding.
- Safe / safety deposit box → physical security goes up, but the existence of the safe screams “valuable thing inside”
- Steel plate split across two locations using Shamir’s Secret Sharing (SSS) with a 2-of-3 or 3-of-5 threshold → no single location compromises the wallet
- Multisig with keys at 3+ different locations → operationally complex but eliminates single-key theft entirely
Multisig is the right answer for any holding above ~1 BTC, in my opinion. Below that, the operational complexity tax outweighs the security benefit for most people.
Threat 3 — coercion (the $5 wrench attack)
xkcd 538 is the best diagram in cryptography. If someone holds a wrench, the threat model isn’t your seed storage — it’s you. The attacker doesn’t need to break encryption. They need to break you.
Mitigation ladder:
- Don’t tell anyone you own Bitcoin → the most underrated security control. If they don’t know, they don’t ask.
- Plausibly deniable wallets via BIP-39 passphrase → put 99% of your funds in a passphrased wallet, leave a small “decoy” amount in the no-passphrase wallet at the same seed. If coerced, give up the small wallet. (See passphrase section below — this requires careful execution.)
- Multisig with one key in a jurisdiction the attacker can’t reach → genuine geographic security. Operationally heavy.
- Time-locked vaults (CSV / OP_CHECKLOCKTIMEVERIFY) → coins can’t be moved for N blocks, attacker can’t get value in real-time. New, less proven, but increasingly viable post-Taproot.
For most people, the rational answer is the first one: keep your mouth shut. Public bragging about Bitcoin holdings is the leading indicator for “person who got robbed”.
Threat 4 — stupidity / future-you
This is the threat people prepare for least and lose to most.
It’s 8 years from now. Your steel plate is in a fireproof safe in a closet. You’ve moved twice. You’re cleaning out a box of old electronics and you find what looks like a metal plate with random words on it. You don’t remember which wallet it goes to. You don’t remember if it’s the live wallet or a testnet practice wallet you made years ago. Your spouse asks what the plate is and you don’t have a confident answer.
Mitigation ladder:
- Label the plate with a non-identifying tag (e.g., “BTC L1 main 2025”) → you remember in 8 years; thieves don’t get your full identity
- Maintain a written inheritance plan in a sealed envelope with your trusted person → makes future-you’s job easier and handles the worst case (you die)
- Test recovery once a year → the only way to know your storage actually works is to actually use it
- Don’t make the system more complex than you can remember in 5 years → multisig with 4 vendors and a passphrase is theoretically more secure but if future-you has any chance of fumbling the recovery, the security gain is negative. Optimise for the recoverability path, not just the threat-resistance path.
The BIP-39 passphrase — when it helps, when it kills you
The “25th word” is the most powerful and most dangerous feature in BIP-39.
What it actually does: changes the master seed entirely. Your 24 words + passphrase “trezor” generate one wallet. Your 24 words + passphrase “treezor” generate a completely different wallet, with completely different addresses, that has no on-chain link to the first.
When it helps:
- Plausible deniability. The 24-word seed (no passphrase) holds a decoy with $200. The 24-word seed + your real passphrase holds the actual stack. If forced to reveal the seed, you reveal the words and not the passphrase. Attacker imports, sees $200, leaves you alone.
- Defending against partial seed compromise. If a thief photographs your steel plate but you didn’t write the passphrase down (you remember it), the wallet is still safe.
When it kills you:
- You forget the passphrase. There is no “forgot password”. The wallet is gone. You have a 24-word backup that proves you used to own it; you can’t get it.
- You misremember the passphrase. The wallet you derive from the wrong passphrase is a different valid wallet with $0 in it. You’ll see “balance: 0”, panic, try the original, find it’s empty, and at no point realise you typed “trezor” instead of “Trezor”.
- You record the passphrase in the same place as the seed → it’s not a passphrase, it’s a longer seed.
The passphrase is appropriate if:
- You can memorise it AND record it in a separate location your heirs can find AND test recovery with it AND understand what it does.
- Your holdings are large enough to justify the operational complexity.
- You’re sober about the failure modes.
If you’re not sure you can do all four, don’t use it. A standard 24-word seed in a steel plate is fine for most people. The number of self-custodians who have lost more to forgotten passphrases than to attackers is non-trivial.
How to verify a backup actually works
Writing down 24 words and putting them in a safe is necessary but not sufficient. You don’t know the backup works until you’ve tested it.
Test recovery procedure (do this annually):
- Wipe a different hardware wallet (not your primary). Or use a software wallet on an air-gapped, freshly-installed laptop.
- Type your 24 words into it. If you have a passphrase, enter that too.
- Verify the first 5 receiving addresses match your primary wallet’s addresses exactly. If they don’t match, you have the wrong seed, the wrong derivation path, the wrong passphrase, or all three.
- Don’t move funds. This is a verification, not a migration. Wipe the test device when done.
You can also use the BIP-39 validator on this site to confirm your written-down phrase has a valid checksum byte. That tells you the phrase is mathematically self-consistent — i.e. you didn’t accidentally swap a letter or word. It doesn’t tell you it generates the right wallet (only step 3 above does that).
I cannot tell you how many people I’ve talked to who’d never tested their backup, only to find out years later when they actually needed it that they had a typo in word 9.
What “good” looks like
For a self-custodian with $5K-$500K in Bitcoin (the most common range):
- Hardware wallet of any reputable vendor (see our reviews), bought in person or shipped to a P.O. box
- 24-word seed generated on the device’s RNG, never typed into anything else
- Steel-plate backup in a fireproof safe at home, secondary copy at a bank deposit box or trusted family member
- No BIP-39 passphrase, OR passphrase memorised + recorded separately + recovery-tested annually
- Annual recovery test with a wiped secondary device or air-gapped laptop
- Mouth shut about specific holdings
For $500K+: add multisig (Sparrow + 3 hardware wallets at 3 locations, 2-of-3 quorum), and consider an inheritance lawyer to formalise the plan.
For under $1K: a steel plate is overkill. Paper in a fireproof box is fine. Don’t let the perfect be the enemy of the good.
What “bad” looks like
The real-world stories I hear most often:
- Seed in a Google Doc / iCloud Notes / 1Password → exfiltrated by remote attackers
- Seed photographed on a smartphone → in iCloud forever; one breach reveals it
- Seed shared with a spouse over text → iMessage backups, screenshot risk
- Seed split across multiple steel plates without a documented threshold → spouse can’t recover after death
- Passphrase set, never written down, holder dies → coins permanently lost
- Seed never recovery-tested → typo in word 9 discovered after fire destroys plate
Every single one of these is preventable for less than the cost of a hardware wallet and an afternoon of careful work.
Tools
- BIP-39 validator — verify the checksum byte of a written-down phrase, runs entirely client-side, no telemetry
- Address validator — confirm receiving addresses match between primary and recovery wallet during test
- Hardware wallet reviews — first-person notes on Coldcard, Trezor, BitBox02, Foundation Passport, etc.
Further reading
- BIP-39 specification
- BIP-32 hierarchical deterministic wallets
- Lopp’s curated bitcoin-information list (best resource hub in the space)
- Coinkite blog on multisig setups
- Casa, Unchained — commercial multisig services, useful for larger holdings if DIY feels too operationally heavy