What the word count actually encodes

A BIP-39 seed phrase encodes a random number plus a checksum, using a fixed dictionary of 2,048 words (each word = 11 bits):

  • 12 words = 128 bits of entropy + 4 bits checksum;
  • 24 words = 256 bits of entropy + 8 bits checksum.

From either, the wallet derives every private key on every network — Ethereum, Bitcoin, Solana, TRON, all of it, as described in our self-custody primer.

Is 128 bits enough? Yes — with numbers

2¹²⁸ is about 3.4 × 10³⁸ possibilities. The entire Bitcoin mining network — humanity's largest brute-force machine, ~10²¹ hashes per second — would need on the order of 10¹⁰ years to enumerate half of that space: roughly the age of the universe. And a mnemonic guess is far more expensive than one Bitcoin hash (BIP-39 requires 2,048 rounds of HMAC-SHA512 per attempt, plus deriving and checking addresses).

There is no realistic scenario in which someone brute-forces a properly generated 12-word phrase. When you read "wallet drained via cracked seed", the seed was generated by broken software with too little randomness, or leaked — never guessed out of the full 2¹²⁸ space.

Ethereum's own security rests on the same ~128-bit level; a 24-word phrase (256 bits) exceeds what the rest of the cryptography can even use. It is defense against an adversary that does not exist — including, per current understanding, quantum computers, whose Grover speedup would still leave 2⁶⁴ effective operations against 128 bits while breaking the elliptic curves themselves first anyway.

The uncomfortable truth

Seed phrases fail through exposure and loss, in roughly this order: photographed / stored in cloud notes, phished, physically found, destroyed with no second copy, or generated by malicious software. Word count changes none of these. Handling does.

So why do 24 words exist — and when to prefer them

  • Historical default: early hardware wallets standardized on 24; the margin cost nothing on paper and matched 256-bit internal secrets.
  • Compliance/belt-and-suspenders: institutional policies sometimes mandate 256-bit secrets across the board; 24 words satisfies that on principle.
  • Slightly better resilience to partial leaks: if an attacker photographs half of your backup, the remaining unknown words leave 2⁶⁶ combinations for 12-word phrases but 2¹³² for 24 — the latter stays unbreakable even half-exposed. This is the one technically real advantage, and it argues mostly for not letting phrases be photographed at all.

The practical costs of 24 words are mundane but real: twice the transcription surface (writing errors happen — the checksum catches most but not all), longer to verify, longer to type on a phone during recovery, bulkier metal backups.

Our recommendation

SituationChoice
Everyday self-custody, personal amounts12 words, written carefully, stored well — fully sufficient
Long-term cold storage of significant valueEither; 24 if you want the partial-leak margin and don't mind the bulk
Institutional / policy-driven24 words, because the policy says so
Any situation with sloppy storageNeither helps — fix the storage first

GaurdWallet offers both at creation (12 by default, 24 optionally) and imports both — as does any standards-compliant wallet, so the choice never locks you in.

Storage rules that actually move the needle

  • Paper or metal, never pixels. No photos, no screenshots, no password managers syncing to the cloud, no "drafts" folder. A phrase that has touched the internet is a phrase you should consider rotating.
  • Write, verify, then verify the verification. Read the words back against the screen before confirming. A good wallet quizzes you on words precisely to force this.
  • Two locations beat one for meaningful sums: fire and flood destroy single copies. Two full copies in two places you control — not halves split across places, which doubles the chance of partial loss while creating the partial-leak scenario above.
  • Never type it when asked to. Only when you initiated a restore into software you chose. Everything else — "validate your wallet", "sync to claim", "support needs it" — is theft in progress. More in our extension-safety threat model.