Introduction
A BIP39 seed phrase is the backup key to a cryptocurrency wallet. Instead of asking you to store raw binary entropy or a long private key directly, the wallet converts that cryptographic data into a list of common words selected from a fixed list of 2,048 terms. That design makes backup and recovery more practical for humans, but it also means that the security of the wallet comes down to whether those words stay secret. If an attacker can reconstruct the full phrase, they can usually restore the wallet and control the funds without needing permission from any bank, exchange, or service desk. This calculator is meant to make that risk concrete by estimating how long a brute-force search could take when only some of the words are missing.
The result is especially useful in two situations. The first is security education: it helps you see why seed phrases are considered powerful secrets and why leaking even part of one can matter. The second is recovery planning: sometimes a legitimate owner remembers most of a phrase but is missing one or two words, and they want to understand whether a recovery attempt is realistic. In both cases, the key idea is the same. Every unknown BIP39 word multiplies the remaining search space by 2,048. That growth is exponential, so the difference between one missing word and several missing words is enormous.
How to Use
Start by choosing the total phrase length. BIP39 phrases commonly contain 12 or 24 words, but 15, 18, and 21 word phrases also exist. Next, enter how many of those words are already known with certainty. Finally, enter a guess rate in guesses per second. That rate represents how quickly an attacker, recovery tool, or testing setup can generate and check candidate phrases. Once you press Estimate Time, the calculator reports the number of unknown words, the simplified total number of combinations, and the estimated time required to test them at the speed you entered.
To interpret the result, think of it as an order-of-magnitude estimate rather than a guaranteed real-world runtime. The calculator assumes the attacker can keep making guesses offline with no rate limiting, no account lockout, and no extra delay beyond the cryptographic work needed to derive and test each candidate seed. That makes the output a best-case scenario for the attacker and, from the wallet owner’s perspective, a conservative estimate of safety. If the result is still extremely large under those favorable conditions, real attacks are usually even less practical.
If you are using the calculator for wallet recovery, pay close attention to whether your unknown count is small. One missing word may be trivial to search. Two missing words can still be practical on decent hardware. Three missing words may be possible in some cases, but the workload rises quickly. Beyond that, the space becomes so large that success depends heavily on extra clues such as word positions, checksum filtering, language selection, a restricted candidate list, or knowledge of a passphrase.
Formula
BIP39 relies on a fixed list of 2,048 unique words. Each word represents 11 bits of entropy because equals 2,048. When you know some words of a seed phrase, the remaining words are still unknown. The total number of possible phrases is where is the number of unknown words. That exponential growth is what makes brute forcing a full phrase infeasible. For example, if only two words are missing from a 12-word phrase, there are combinations, a little over four million possibilities to test before you even consider wallet-path verification or checksum pruning.
The calculator multiplies the number of combinations by the inverse of the guess rate to determine how long it would take to exhaust the search. In plain language, the formula is:
Formula: T = 2048^u / r
Here, T is time in seconds, u is the number of unknown words, and r is the guess rate in guesses per second. The output is then converted into seconds, minutes, hours, days, or years so the scale is easier to grasp. This simplified model is intentionally transparent: if you change the unknown word count by just one, the time changes by a factor of 2,048.
Worked Example
Suppose you have a 12-word phrase and you know 10 of those words. That means 2 words are unknown. The search space is 4,194,304 possibilities. If the testing setup can check 1,000,000 guesses per second, the estimated time is about 4.19 seconds. That sounds surprisingly small, and it highlights an important practical point: a phrase with just one or two missing words may be recoverable by the rightful owner if they already know the rest of the mnemonic and can verify the wallet output.
Now change only one detail. Instead of two unknown words, imagine three unknown words at the same guess rate. The combinations jump to 8,589,934,592, and the estimate becomes about 2.39 hours. Add one more missing word and the estimate becomes roughly 203.61 days. Add yet another and you move into centuries. That is why seed phrase recovery tools often work only when the number of unknown words is small or when the search can be narrowed by additional information such as the exact word positions, the last word’s checksum constraints, or a short list of likely candidate words.
Understanding Guess Rates
Guess rate refers to how many candidate seed phrases an attacker can test per second. This metric depends on computational power, implementation quality, and what exactly must be derived for each guess. Modern graphics processing units and optimized recovery tools can achieve very high throughput, but BIP39 recovery still involves expensive cryptographic operations such as PBKDF2 and wallet derivation steps. In many real workflows, the guess rate is far lower than people expect from raw GPU marketing numbers. A rate of thousands to millions of guesses per second may be plausible for some simplified setups, while a realistic end-to-end wallet verification pipeline can be slower.
The rate you enter is therefore one of the most important assumptions in the model. If you increase the guess rate by a factor of 10, the estimated time falls by a factor of 10. That sounds significant, but it does not cancel out exponential growth. A faster machine helps, yet each additional unknown word still multiplies the work by 2,048. This is why brute force can be feasible for a nearly complete phrase but absurd for a mostly unknown one, even if the attacker has very capable hardware.
Incorporating the Checksum
BIP39 mnemonic phrases include a checksum embedded within the last word, reducing the effective search space slightly because not all combinations are valid. The checksum is derived from hashing the entropy and taking a certain number of bits. For simplicity, this calculator assumes all combinations are equally likely and does not account for the checksum reduction. If one wanted to be more precise, the total combinations could be divided by where c is the number of checksum bits. This adjustment becomes significant only when very few words are unknown. For larger numbers of missing words, the checksum provides negligible relief to a brute-force attacker compared with the overwhelming size of the overall space.
That simplification is useful because it keeps the calculator easy to understand. You can treat the result as a rough upper bound on the number of phrases that must be examined before checksum pruning, position clues, or implementation details start reducing the workload. If you are doing serious recovery work, you would normally combine checksum filtering with address matching and any other clues you have. If you are using the calculator to think like a defender, the simplified estimate already shows the main lesson clearly: secrecy of the words matters far more than small efficiency gains.
A Table of Possibilities
The following table shows how quickly the count grows as more BIP39 words become unknown. It assumes a 12-word seed and lists the simplified combinations before checksum filtering. The table is not the main story, but it provides a compact way to see the step-by-step multiplication that drives the rest of the page.
| Unknown Words | Combinations |
|---|---|
| 1 | 2,048 |
| 2 | 4,194,304 |
| 3 | 8,589,934,592 |
| 4 | 17,592,186,044,416 |
| 5 | 36,028,797,018,963,968 |
What makes the table striking is not just that the numbers are large, but how fast they accelerate. Every row is 2,048 times the row above it. That compounding effect is the central security property of mnemonic phrases. A person who knows almost everything may be able to recover the seed, while someone who is missing several words is confronted with a search space so large that the problem stops being practical.
Human Timescales
After computing the total seconds, the calculator converts that figure into approximate human timescales such as minutes, hours, days, or years. When an estimate reaches millions or billions of years, the number becomes abstract, so it helps to compare it with familiar reference points. Human civilization has existed for only a few thousand years, and the universe is about 13.8 billion years old. Many brute-force scenarios for seed phrases exceed those scales by enormous margins. Even with aggressive assumptions about hardware, there are cases where the search is not merely inconvenient but effectively impossible.
That perspective is useful for both owners and auditors. For owners, it demonstrates why the phrase must be treated like a bearer instrument: whoever has it effectively has the assets. For auditors or educators, it shows why brute force is usually not the main threat model for a fully secret phrase. The more realistic threats are theft, malware, phishing, shoulder surfing, insecure digital storage, or a compromised backup process. The mathematics support good operational habits, but they do not replace them.
Real-World Threats
Although brute forcing a seed is mathematically daunting, actual attacks often succeed by exploiting weaker links. Malware can capture a phrase when it is typed into a compromised device. Fake wallet restore screens and phishing pages can persuade users to reveal all 12 or 24 words at once. Screenshots, cloud notes, email drafts, and photos of paper backups create risks that have nothing to do with cryptanalysis. Physical theft matters too: a seed written on paper or stamped on metal is only as safe as the place where it is stored. For most people, secure handling of the phrase is far more important than the exact brute-force estimate for a hypothetical attacker.
This is why the calculator should be read as an educational lens, not as a complete security audit. It answers one narrow question very well: if someone is missing some number of BIP39 words, how quickly does the search effort grow? It does not tell you whether your computer is compromised, whether your backup is exposed, or whether a third-party wallet app is trustworthy. Those questions belong to operational security rather than probability math.
Limitations and Assumptions
No simple calculator can model every wallet recovery or attack path perfectly. This page makes several deliberate simplifications so the core relationship between unknown words and brute-force time remains clear. In particular, the estimate assumes an offline search, does not model optional BIP39 passphrases, and treats all unknown words as if they were fully independent choices drawn from the complete word list. That is often good enough for intuition, but there are edge cases where a specialized tool or a more detailed recovery workflow would give a different answer.
The most important limitations are these: the checksum is simplified, real-world guess rates vary a lot, phrase positions may matter, users sometimes know a smaller candidate set than the full 2,048-word list, and an extra BIP39 passphrase can change the problem dramatically. In recovery scenarios, these details can shrink the search space. In defensive scenarios, they can also enlarge it if an attacker lacks address information or must derive many wallet paths to verify each guess. So use the calculator to understand scale, not to treat the result as a court-grade prediction.
Implications for Partial Knowledge
People occasionally remember most of their seed phrase but lose one or two words. Recovery tools exist for exactly that situation, and this calculator helps explain why they can sometimes work. If only one word is missing, there are 2,048 possibilities before checksum filtering. That is small enough that a legitimate owner may be able to search it quickly. At two words, the problem is larger but still often manageable. By three or four unknown words, the feasibility depends heavily on hardware and on whether you can narrow the search with extra clues. Beyond that, the problem tends to become intractable very quickly.
This has practical consequences for backup strategy. A correct full backup stored securely is far safer than a clever but fragile memory technique. Splitting words across locations, depending on memory alone, or recording the phrase with mistakes can turn a manageable recovery task into an impossible one. At the same time, revealing even part of the phrase to the wrong person can lower the barrier for a targeted search. The safest approach is usually the simplest one: keep the whole phrase accurate, private, and stored in a controlled location.
Staying Ahead of Computing Advances
Computing power improves over time, and attackers can rent cloud hardware or build clusters that would have been rare a decade ago. Even so, exponential search spaces age well. A 10× or 100× speedup is meaningful for very small recovery problems, but it does not make a broadly unknown seed phrase easy to brute force. Quantum computing also raises long-term questions, yet the large search spaces involved here still provide a substantial cushion in many realistic discussions. The bigger immediate risk remains exposure of the phrase itself rather than a sudden collapse of brute-force difficulty.
In other words, the lesson is not complacency. It is prioritization. Secure devices, careful backups, verified wallet software, and resistance to phishing will protect you far more than obsessing over tiny differences in theoretical guess rates. The math gives you confidence about the strength of a properly protected seed phrase. Good habits are what let you benefit from that strength in practice.
Conclusion
The BIP39 Seed Phrase Brute Force Time Calculator turns an abstract security idea into numbers you can inspect. By entering the phrase length, the number of known words, and a guess rate, you can see how each missing word multiplies the search space and changes the expected runtime. The key takeaway is simple but powerful: each unknown BIP39 word adds another factor of 2,048. That makes small recovery problems sometimes solvable, while making broad brute-force attacks unrealistic when the phrase remains secret. Use the estimate to understand the scale of the problem, then pair that understanding with careful backup and storage practices.
Calculator
This estimate runs locally in your browser. It does not upload a seed phrase, and you should never paste a real recovery phrase into any website. Only enter counts and rates, not the actual mnemonic words themselves.
Mini-game: Collapse the Search Space
This optional mini-game turns the calculator’s core idea into a short, replayable skill challenge. You are operating a checksum verifier around a mnemonic ring. Tap, click, or press Space when a blue valid candidate reaches the gold verify window. Ignore the red decoys. Every successful lock removes one missing word and immediately changes the on-screen brute-force estimate by a factor of 2,048. The game is purely educational and does not affect the calculator’s math above.
Best score: 0
Takeaway: Each missing BIP39 word multiplies the search space by 2,048, so recovering even one word can change a recovery attempt from impossible to manageable.