when you install MetaMask, you were shown a list of 12 words known as the Secret Recovery Phrase.
- Note: The order of the words in the secret recovery phrase is important.
- MetaMask uses a specification known as the BIP39 to generate these 12 words.
- BIP39(Bitcoin Improvement Proposals) recommends use of a mnemonic phrase to recover accounts in the event your accounts are compromised or lost.MetaMask calls this mnemonic phrase as the Secret Recovery Phrase.
- 12 words are chosen from a list of 2048 words.The complete list of 2048 words can be found from here
Each word in the secret recovery phrase has a number associated with it. These numbers are used to form a seed integer, which is then used to create a set of public/private keys
- a private key is generated using the seed integer using the SHA256 hash function
- public key is generated from private key using ECDSA(Elliptic Curve Signature) algorithm
- from the public key derived, compute a keccak256 hash
- from the keccak256 hash, take the last 20 bytes (which is 40 hexadecimals), prefix it with “0x” and this is your Ethereum address.
With the public/private key pair created from the seed integer, MetaMask will now be able to create your first account.As explained, your first account is generated from the keccak256 hash.
Internally, MetaMask encrypts your private key using the password that you supplied during the installation stage, and stores it in your browser’s data store. It does not store them on the cloud.
- MetaMask makes use of the private key of the first account and hashes it to get the next private key.Using the newly created private key, the same procedure applies (as described earlier) to get the public key and subsequently the account address. And the next account is always the hash of the previous private key.
- This is the reason why your accounts can be recovered as long as you have your secret recovery phrase.
- And this brings us to this very important point you have to know — protect your secret recovery phrase under lock and key! - Once you compromised your secret recovery phrase, your accounts can be accessed by anyone who has them. Needless to say, your cryptocurrencies will be gone in a heartbeat!
Credits: Wei-Meng Lee