Highlander · April 30, 2025
Why Does KeepKey Only Generate 12 Words?
Loading…
Keep your crypto safe.
Open-source hardware wallet with 7,500+ supported assets. Your keys never leave the device.
Open sourceFree shipping30-day returns
Open-source hardware wallet with 7,500+ supported assets. Your keys never leave the device.
TL;DR: A 24-word recovery phrase is not more secure than a 12-word recovery phrase. They're equally cryptographically secure. The 24-word version is just longer to write down, harder to enter, and more error-prone — without offering any additional protection. KeepKey uses 12 words by default because that's the right answer for almost everyone.
The rest of this article explains why, in detail, with the cryptographic reasoning so you can verify it yourself.
A BIP39 recovery phrase is a human-readable encoding of a fixed-size random number. The number is what matters. The words are just a way to write it down without errors.
| Phrase length | Entropy bits | Possible combinations |
|---|---|---|
| 12 words | 128 bits | 2¹²⁸ ≈ 3.4 × 10³⁸ |
| 18 words | 192 bits | 2¹⁹² |
| 24 words | 256 bits | 2²⁵⁶ |
128 bits is the cryptographic standard for "computationally infeasible to brute-force." Every symmetric encryption primitive used in modern security — AES-128, the wallet-to-wallet handshake of every major messenger, the signing keys of TLS — relies on 128-bit security as its baseline.
To get an intuition for the size: 2¹²⁸ is roughly 340 undecillion. That's more than the number of atoms in 100 million Earths. If every atom in the visible universe were a computer trying one combination per nanosecond, the heat death of the universe would arrive long before they exhausted the keyspace.
In a vacuum, yes. In practice, no — once you're past the 128-bit threshold, the bottleneck stops being your seed and starts being everything else in the chain:
So even if your seed phrase had 256 bits of entropy, an attacker who wanted to steal your funds would attack the curve, not the seed. 128 bits is the ceiling, not the floor. Adding more entropy past that point gives you a longer phrase to memorize for no additional security.
This is why most modern hardware-wallet security audits and BIP authors are very explicit: 128 bits is the design target, and 12 words is sufficient to encode it.
Word count is a distraction. The security of your recovery phrase depends almost entirely on whether the phrase has been seen by anyone other than you at any point in its lifetime. Every realistic attack on a recovery phrase is one of these:
Notice that none of these depends on word count. A 24-word phrase typed into a fake recovery site is exactly as compromised as a 12-word phrase typed into the same site.
The thing that protects your funds is the seed never being touched by anything other than you, on paper, ever. Word count only changes how much there is to write down.
Given that 12 and 24 are equally secure cryptographically, the comparison comes down to ergonomics:
Yes. While KeepKey generates 12 words by default, the recovery flow accepts 12, 18, or 24 words. This matters if you're:
When you start the recovery flow in KeepKey Vault Desktop, you pick the seed length to match what you wrote down. See KeepKey Device Recovery for the full walkthrough.
The cryptography research community is essentially unanimous on this point:
"The amount of entropy used for generating wallets is 128 bits. An extended private key, like a 24-word mnemonic beyond 128 bits, is all just wasted entropy."
That's not a controversial position. The BIP39 specification itself was explicit that 128 bits was the design target; longer phrases were included for compatibility with implementations that wanted them, not because they were necessary.
Where you'll see disagreement is in the broader crypto-influencer space, where "24 words is more secure" is repeated as common knowledge despite being mathematically wrong. Don't let that pressure you into a phrase you'll find harder to manage.