Deterministic Wallets banner

Deterministic Wallets

Twelve words become millions of addresses.

A modern Bitcoin wallet doesn't store a list of unrelated keys. It stores a single seed — a random number, written down as words — and re-derives every address it will ever hold from that one number. Generate a fresh mnemonic; watch each downstream value change in lock-step.

Deterministic wallet

Twelve words become millions of addresses.

A modern Bitcoin wallet doesn't store a list of unrelated keys. It stores a single seed — a random number, written down as words — and re-derives every address it will ever hold from that one number. Type your own words below or regenerate a fresh mnemonic; watch each downstream value change in lock-step.

Mnemonic length
12 words
Entropy
128 bits
Purpose
BIP84
Addresses shown
8
STEP 01

Entropy → mnemonic (BIP39)

A wallet starts by generating 128 cryptographically random bits. Those bits, plus a short checksum, are split into 12 chunks of 11 bits each. Each chunk indexes into a fixed list of 2048 English words. The result — your mnemonic — is what you write down.

Length
1
2
3
4
5
6
7
8
9
10
11
12
These 12 words encode 128 bits of entropy. A 12-word mnemonic gives 128 bits — the floor for serious use. 24 words gives 256 bits and a future margin against advances in cryptanalysis. Click any chip above to type a different word.
Entropy (128-bit, 32 hex chars):
STEP 02

Mnemonic + passphrase → seed

The mnemonic is stretched into a 512-bit seed using PBKDF2-HMAC-SHA512 with 2,048 iterations. An optional passphrase — sometimes called the "25th word" — salts the function, so the same mnemonic with a different passphrase produces an entirely unrelated wallet.

Plausible deniability lives here. With a passphrase, you can carry a 'duress wallet' on the bare mnemonic and a real one a single secret word away. PBKDF2 is intentionally slow — brute-forcing the passphrase costs a lot, even for an attacker who finds your seed phrase.
BIP39 seed (512-bit):
STEP 03

Seed → master extended key (BIP32)

HMAC-SHA512 of the seed against the constant string "Bitcoin seed" yields a 64-byte output. The left 32 bytes become the master private key. The right 32 bytes become the chain code — the seed-of-the-tree that lets the wallet derive children deterministically. Together they are serialized as an extended key.

An extended key carries everything a child key needs: the key itself, the chain code, the depth, the index, and a fingerprint of the parent. xprv is the private version; xpub is the public one. You can hand out an xpub safely — anyone holding it can derive your public addresses, but not spend from them.
Master xprv (private extended key — keep secret):
Master xpub (public extended key — shareable):
STEP 04

Derivation path (BIP44 / 49 / 84 / 86)

The master key derives children at indices. Each integer is one step down the tree; an apostrophe marks a hardened step that can't be reversed even if a child key leaks. The path tells the wallet what kind of address to produce.

BIP84Native SegWit (bech32). The full path is m/84'/0'/0'/0/x, broken down as: m (master) / 84' (purpose, hardened) / 0' (coin type — 0 = Bitcoin) / 0' (account 0) / 0 (external chain — receive addresses; 1 is for change) / x (address index).
Account xprv (m/84'/0'/0'):
Account xpub (m/84'/0'/0'):
STEP 05

Receive addresses

Finally, the wallet derives one child key per address index along the external chain. Each child public key is hashed and encoded in the format the purpose level prescribed — base58 for legacy, bech32 for SegWit, bech32m for Taproot.

You can derive billions of addresses from this one mnemonic, and any wallet given the same seed will produce the same addresses in the same order. This is what 'deterministic' means. Lose your device; restore the words; every coin is exactly where you left it.
#
Derivation
Address
Public key (compressed)
0
m/84'/0'/0'/0/0
1
m/84'/0'/0'/0/1
2
m/84'/0'/0'/0/2
3
m/84'/0'/0'/0/3
4
m/84'/0'/0'/0/4
5
m/84'/0'/0'/0/5
6
m/84'/0'/0'/0/6
7
m/84'/0'/0'/0/7
!
This page is a demonstration. The values are derived in your browser using audited cryptography libraries, but you should still never paste a mnemonic that controls real funds into any website — including this one. Generate and store seeds you intend to back with real bitcoin on offline, audited hardware.