From what I understand a 12 word seed generated with high entropy dice rolls, and a strong passphrase is strong enough security for most people.
With different word set for your wallet mnemonic seed phrase, you will have different entropy.
https://learnmeabitcoin.com/technical/keys/hd-wallets/mnemonic-seed/12 words: 128 bit
15 words: 160 bit
18 words: 192 bit
21 words: 224 bit
24 words: 256 bit
BIP 39: Entropy and word length.With 2
128 to 2
256 private keys to find, it's very safe, no chance to brute force private keys.
You only need to use an open source and non custodial wallet that creates your wallet mnemonic seeds with 128 or 256 bits of entropy. It's safe enough to use especially with 256 bits of entropy. You can create your wallet mnemonic seed with bigger than 256 entropy but there are only 2
256 private keys.
How Much Entropy Do You Need?
BIP32 allows seeds to be from 128 to 512 bits. BIP39 accepts from 128 to 256 bits of entropy; Electrum v2 accepts 132 bits of entropy; Aezeed accepts 128 bits of entropy; SLIP39 accepts either 128 or 256 bits. The variation in these numbers makes it unclear how much entropy is needed for safety. We’ll try to demystify that.
BIP32 extended private keys consist of a 256-bit key and a 256-bit chain code, for a total of 512 bits. That means there’s a maximum of 2512 different possible extended private keys. If you start with more than 512 bits of entropy, you’ll still get an extended private key containing 512 bits of entropy—so there’s no point in using more than 512 bits even if any of the standards we mentioned allowed that.
However, even though there are 2512 different extended private keys, there are only (slightly less than) 2256 regular private keys—and its those private keys that actually secure your bitcoins. That means, if you use more than 256 bits of entropy for your seed, you still get private keys containing only 256 bits of entropy. There may be future Bitcoin-related protocols where extra entropy in the extended keys provides extra security, but that’s not currently the case.
The security strength of a Bitcoin public key is 128 bits. An attacker with a classical computer (the only kind which can be used for a practical attack as of this writing) would need to perform about 2128 operations on Bitcoin’s elliptic curve in order to find a private key for another user’s public key. The implication of a security strength of 128 bits is that there’s no apparent benefit to using more than 128 bits of entropy (although you need to ensure your generated private keys are selected uniformly from within the entire 2256 range of private keys).
There is one extra benefit of greater entropy: if a fixed percentage of your recovery code (but not the whole code) is seen by an attacker, the greater the entropy, the harder it will be for them to figure out part of the code they didn’t see. For example, if an attacker sees half of a 128-bit code (64 bits), it’s plausible that they’ll be able to brute force the remaining 64 bits. If they see half of a 256-bit code (128 bits), it’s not plausible that they can brute force the other half. We don’t recommend relying on this defense—either keep your recovery codes very safe or use a method like SLIP39 that lets you distribute your recovery code across multiple locations without relying on the safety of any individual code.
As of 2023, most modern wallets generate 128 bits of entropy for their recovery codes (or a value near 128, such as Electrum v2’s 132 bits).