Skip to content
Many crypto users are looking for secure ways to store their seed phrase or wallet backup. The SLIP39 standard, also known as SLIP-39, is supported by Trezor and promises more security by splitting keys. In practice, however, the process is not only complex, but also has considerable disadvantages.
More importantly, most people are not even aware of how BIP39 or SLIP39 works in detail. They only see a seemingly simple list of words and believe that this gives them an almost indestructible sense of security. This deceptive security leads many people to underestimate the risks – be it when storing the seed phrasewhen passing it on or relying on a single backup. This is precisely why it is crucial not to prematurely regard SLIP39 as the better alternative.
In this article you will find out why SLIP39 is not always the best choice, what the risks are compared to BIP39 and why SLIP39 & BIP39 are only safe if you really understand them.
What is SLIP39?
SLIP39 is a standard from SatoshiLabs, the developers of the Trezor hardware wallets. The aim is to split the recovery keys of a wallet into several parts. While BIP39 uses a single seed phrase, SLIP39 is based on the principle of Shamir’s Secret Sharing.
Several fragments are generated, of which only a previously defined minimum number is required for recovery. For example: A wallet is divided into 5 fragments, 3 of which are sufficient to restore access. If 2 fragments are lost, access remains possible. However, if 3 or more are lost, the coins are gone for good.
Another example: A group of friends could receive 7 fragments, 4 of which are required for access. This means that no one can restore the backup alone, but the group can together.
Diese Logik klingt zunächst nach einer sinnvollen Idee und bietet theoretisch Vorteile gegenüber einer einzelnen Phrase. Doch sobald man sich mit den Details befasst, zeigt sich, dass SLIP39 auch erhebliche Schwächen hat.
Recurring words in the shares
An often overlooked point: With SLIP39, the first words in all shares are partially identical. These serve as an indication of how many fragments exist in total and how many of them are required for the restore. This means that the shares reveal information about the structure of the backup at first glance. This can be a starting point for technically skilled attackers and also causes confusion for users who do not understand why some words are repeated.
Threshold at SLIP39
A central concept in SLIP39 is the so-called threshold system. This defines the minimum number of fragments (shares) that must be present in order to restore the seed phrase. Example: With a “3 out of 5” configuration, it is sufficient to merge any three fragments – the remaining two are then optional. This offers a certain degree of error tolerance.
With a setting such as “4 out of 5”, however, the leeway is very small: if just a single fragment is missing, there is no longer a safety buffer. Users must therefore consciously choose the threshold and understand what consequences it has. A configuration such as “5 out of 5” is particularly dangerous. Here, all five fragments must be present – if only one is missing or one does not work, recovery is impossible. This means that there is no margin for error, which makes this setup extremely risky.
Why SLIP39 is problematic in practice
Complexity and susceptibility to errors
The setup is much more complicated than with BIP39. Many users do not even understand how the process works in detail or why they suddenly have several sets of seed phrases. Often all fragments are written on a single piece of paper – which means that the actual security gain is lost. In configurations with 5 sets, it often happens that 1 or 2 already contain errors: poorly legible, incomplete or incorrectly noted. In addition, the configuration is often chosen incorrectly, for example “4 of 5”. If only a single fragment is missing, there is no longer any buffer security. Even small misunderstandings or spelling mistakes can lead to permanent loss of access to the wallet.
Little support
Many wallets and software solutions are still not compatible with SLIP39. It is currently mainly supported by Trezor and some specialized open source projects. Well-known software wallets such as Electrum or hardware devices from other manufacturers, on the other hand, mainly continue to rely on BIP39. So if you want flexibility or want to use different systems, you will quickly reach your limits. Here is a list of mine: TOP 6 hardware wallets!
Dependence on hardware
SLIP39 is closely linked to Trezor. If you want to use a different device, you often cannot use the method at all. This makes you dependent on one manufacturer. In contrast, BIP39 can be used universally – almost all common hardware and software wallets support this standard, regardless of the manufacturer.
Increased storage risks
Instead of saving just one seed phrase, several parts must be securely distributed and stored. This actually means that the e.g. 5 generated fragments should be stored in 5 different locations – never all together. Ideally, they should be secured on resistant materials such as SafeInKrypto HODL Safe Paper, chrome steel or titanium to protect them from water or fire damage. However, this significantly increases the practical complexity and also increases the risk of individual parts being lost or stored incorrectly. In addition, it takes significantly longer to make 5 or more backup disks and label them correctly than to back up a single seed phrase on a disk. It is also very annoying to enter several fragments when restoring.
Use Trezor with BIP39
Even though Trezor heavily promotes SLIP39, users can still select the classic BIP39 standard with 24 words when setting up the device. In the Trezor Suite, this option appears under the so-called “outdated backup types” or “legacy backup types” during setup. If you choose this option, you will receive a single seed phrase with 24 words as usual. This is universally compatible with almost all wallets from other manufacturers and can – if desired – be split into 2×12 and stored separately. For many users, this is the safer and more practical option, as they use the familiar standard and benefit from the broad support.
Difference between SLIP39 and BIP39
- BIP39: Easy handling with a seed phrase, broad support, proven and standardized.
- SLIP39: Multiple parts, complex recovery, limited compatibility.
However, BIP39 is not without its problems. Many users underestimate that a seed phrase is nothing more than a clearly defined key. If you store it incorrectly or insecurely, you expose yourself to the same risks as with any other form of backup. The illusion of the “magic word list” often causes people to ignore security rules. For minor errors, specialized crypto recovery service such as Crypto-Recovery.ch can in many cases help to reconstruct a BIP39 seed phrase. With SLIP39, however, this is extremely complex and virtually impossible to do – I’ve had two real cases so far and both were a laborious, nerve-wracking procedure. Here are mine: Top 3 crypto & wallet recovery services!
The SLIP39 word list
SLIP39 also has a standardized word list, similar to BIP39. While BIP39 works with 2048 words, SLIP39 uses a smaller, specially adapted list of 1024 words. The aim is to avoid confusion and ensure compatibility within the standard. Nevertheless, the SLIP39 word list is much less established and is hardly used by any manufacturer outside of Trezor.
Die vollständige Liste findest du hier:
SLIP39 Wortliste bei GitHub
7 reasons why you should avoid SLIP39!
- Too complex: The configuration is overwhelming for many users.
- Error-prone: Even small omissions can lead to irretrievability.
- Low penetration: Only a few wallets support the standard.
- Hardware dependency: Particularly strongly linked to Trezor.
- More administrative work: Storing several parts securely is more difficult.
- Unsuitable for beginners: Beginners risk total loss. Little possibility of external help in the event of an error.
- Not proven: In contrast to BIP39, there is a lack of many years of practice.
Conclusion
At first glance, SLIP39 sounds like a step forward in the area of wallet backup. In reality, however, it entails more risks than benefits. If you want to rely on a secure, proven and widely supported solution in the long term, you are better off with BIP39. The 24-word version in particular is considered extremely secure and is compatible with almost all wallets.
If you want additional security, you can also divide the 24 words into 2×12 parts and store them in different places – nobody can do anything with just half of them. SLIP39 only makes sense if you understand exactly how it works and are prepared to put in the considerable extra effort.
However, very few users have this knowledge. Here is an article: How to set up a cold wallet correctly!
Nevertheless, BIP39 is not a sure-fire success. The biggest danger is a lack of understanding. Only those who really know how the seed phrase works, what attack vectors there are and how to store a backup correctly are really safe. This also means: never enter the words online, do not share them carelessly and store them in such a way that no unauthorized person has access. Only those who understand this and consistently store their backups correctly can guarantee the long-term security of their coins.
Back to the home page: Crypto Recovery
