Have you ever wondered how the “backup phrase” for your Bitcoin wallet can be used to “recover” your funds? And have you ever wondered whether (or how) you can use that same backup phrase across different Bitcoin-wallet applications — such as Ledger, Coinomi, and Bread Wallet?

Most modern wallet applications use a handful of standards and technologies broadly referred to as “Hierarchical Deterministic” (HD) wallets. Sounds intimidating, but a high-level understanding is within reach.

How Old-Fashioned Bitcoin Wallets Worked

In the good-old days, most (if not all) Bitcoin wallets were not HD-based, and thus you could not back up your wallet with a one-time backup phrase. Because each Bitcoin address in the wallet had its own, independent private key, the wallet would require frequent backing up — every time a new receiving address was generated (which could be every time you receive funds) you'd have to create a new backup.

So for example, suppose your wallet contained address A, and you made a backup (call it bacup X). Then suppose you ask your wallet for a new address, and it generates address B. Your original backup, X, would not contain address B's secret (private key). Thus, you'd lose any funds sent to B if you were to recover your wallet from backup X; securing funds sent to B would require a fresh, new backup.

Some wallets (such as Blockchain.info) would still provide a backup phrase (or mnemonic). However, in the case of Blockchain.info, this was only a way to unlock your wallet from their servers. In the event of an outage, even with the backup phrase in hand, you would have had no access to your funds.

(Note, Blockchain.info now uses the same standards described below; the above only applies for wallets generated there several years back.)

Modern, HD Wallets: BIP39, BIP32, and BIP44

On the other hand, most modern Bitcoin wallets make use of three industry standards to improve the situation:

  • BIP 39 — Prescribes standardized mnemonic phrases.
  • BIP 32 — Describes how to deterministically generate new Bitcoin addresses (keys) from a “base” or “primary” key (which is where the “hierarchical” thing comes in).
  • BIP 44 — Defines a mechanism for storing alternative crypto-currencies in the same “wallet” (so is not relevant when only using Bitcoin).

In combination these standards provide you with the same privacy features of the “old-fashioned” wallets — namely, a fresh, unused Bitcoin address for each new transaction — but with a simpler backup process. You need only write down your 12-word phrase once, at the time you create your wallet... Keep that backup safe and you're set for the future, no matter how many transactions you make.

Here's what a backup phrase might look like:

lecture finger cinnamon similar risk vibrant neutral drip grunt lucky aspect symptom

The Details

This 12-word phrase is generated from a standardized list of 2,048 words, which provides 128 bits of entropy and a checksum. The phrase is hashed to provide the “seed” for your wallet, and you'll always end up with the same seed (and thus the same wallet/addresses) when you start with the same 12-word phrase.

You can optionally provide a passphrase for an extra layer of protection. This way, if someone were to locate your paper backup (and it did not include your passphrase, but only the twelve generated words), they would not have access to your wallet without also knowing (or guessing) your passphrase.

Here is where BIP32 comes into play: Now that you have a seed, BIP32 defines an algorithm by which an effectively endless supply of unique Bitcoin (or other) private keys can be generated. This is what makes the wallet “HD”.

The BIP32 algorithm is complicated, but here's a rough analogy: Imagine you have a really large, random number — your “seed”. To obtain the first private key for your wallet, just add one to your seed. To get a second private key add two to the seed, and so on.

BIP44 specifies exactly “how much to add”, based on the currency, account number (for cases where you have multiple “accounts” in the same wallet), and address/private-key number. Again, it's much more complicated than “adding one”, but having the derivation algorithm standardized means you can migrate your wallet from Trezor to Mycelium to Copay, and back again.

When importing an existing wallet (by entering your mnemonic), your wallet application will check for existing transactions (if it's coded correctly). It does this by checking the balance of each address in consecutive order — starting with the first key generated from your seed — until a large number of addresses with a zero balance start coming up. The first unused address will be recommended for future incoming transaction(s).

Proceed With Caution

All this technology and standardization makes maintaining a Bitcoin wallet substantially easier — you just need one mnemonic, and it can be backed up and used across many devices. However, the portability can be a curse as well as a blessing.

Imagine this: you enter your mnemonic phrase into ten different apps, to see if you can actually recover the wallet, just in case. Then you only use one of the wallet apps. One day someone borrows your laptop or phone or whatever device that was hosting a copy of your wallet. Worse, suppose you forgot to require a password, for wallet access — because you were testing at the time, you probably didn't set one. Your “friend” would have full access to your funds, and could move them to his/her own wallet with a few clicks.

Extra mobility is a nice feature, but should not be tested with your real wallet. Always know where your real wallet is and where it has been.


Thanks to Github user dabura667, as some of the content in this blog-post was inspired by his well-written Github comment.