W2QR

How It Works

W2QR uses honey encryption to protect your BIP-39 mnemonic. Every password produces a valid seed phrase — attackers can never tell which one is real.

Encrypting Your Mnemonic

  1. 1

    Enter your seed phrase

    Provide your BIP-39 mnemonic (12 or 24 words). W2QR validates the checksum to ensure it is a legitimate seed phrase.

  2. 2

    Choose a strong password

    Your password is the encryption key. It is processed through Argon2id — a memory-hard key derivation function — using 64 MB of memory and 3 iterations. This makes each password attempt slow and expensive for attackers.

  3. 3

    Honey encryption transforms the mnemonic

    W2QR maps your mnemonic to its entropy bits. The Argon2id-derived key is XOR-mixed with this entropy. The result is a ciphertext that, when decrypted with any password, always yields valid BIP-39 entropy — and therefore a valid mnemonic.

  4. 4

    QR code is generated

    The encrypted payload is encoded into a compact QR code. Download it as PNG, SVG, or JSON. Print it and store it like you would a hardware wallet recovery sheet.

Decrypting Your Mnemonic

  1. 1

    Scan or upload your QR code

    Use your camera to scan the encrypted QR, or upload the image file / paste the JSON data.

  2. 2

    Enter your password

    The same Argon2id derivation runs in your browser using WebAssembly — no server involved.

  3. 3

    XOR reversal recovers the entropy

    The derived key is XOR-mixed with the ciphertext, reversing the encryption. The resulting entropy bits are converted back into BIP-39 words.

  4. 4

    Your mnemonic is displayed

    The original seed phrase appears on screen. It exists in browser memory only for as long as you keep the page open — it is never stored or transmitted.

Why Honey Encryption?

Traditional encryption (AES, ChaCha20) produces random garbage when the wrong password is used. An attacker brute-forcing passwords immediately knows when the correct one is found — the output suddenly makes sense.

Honey encryption (Juels & Ristenpart, Eurocrypt 2014) eliminates this signal. Because the encrypted payload is XOR-masked entropy, every password produces valid BIP-39 entropy, which maps to a valid mnemonic. An attacker trying a million passwords gets a million real-looking seed phrases — each controlling a different wallet.

To identify the real wallet, the attacker must derive addresses from each mnemonic and check them against the blockchain. With Argon2id slowing each attempt and millions of valid decoys to check on-chain, brute-force becomes economically prohibitive.

Security Summary

  • All encryption and decryption runs in your browser — nothing is sent to a server.
  • Argon2id with 64 MB memory makes each password guess expensive.
  • Every wrong password produces a valid mnemonic — no oracle to distinguish correct from incorrect.
  • Your mnemonic exists in memory only during the operation and is never persisted.