PBKDF2

PBKDF2 (RFC 2898 / RFC 8018) takes a low-entropy input (a password, or in BIP-39's case, a mnemonic phrase) and stretches it into a uniform high-entropy output by repeatedly applying an underlying PRF — typically HMAC-SHA256 or HMAC-SHA512.

The point isn't secrecy. It's *cost*. Each round takes a fixed amount of CPU work; if an attacker wants to test N candidate passwords, they pay N × rounds worth of CPU. By choosing rounds high enough that a single attempt takes ~milliseconds, brute-forcing weak passwords becomes economically unattractive.

[BIP-39](/glossary/bip39) calls PBKDF2 with HMAC-SHA512, 2048 rounds, the mnemonic as the password, and "mnemonic" + passphrase as salt. Output is 64 bytes — exactly the seed length BIP-32 wants. The 2048-round count is modest by 2026 standards (real password storage uses Argon2 or scrypt now), but for a 128–256-bit-entropy mnemonic it's overkill anyway: the mnemonic itself isn't brute-forceable.

The passphrase ("25th word") changes the salt, and therefore the entire derived seed. Same words + different passphrase = completely different wallet, with no way to tell from on-chain data which passphrase the user picked.