SeedClicker - Writing seed phrases without keyboard [Script Python]

[joker_josue]

SeedClicker - Writing seed phrases without keyboard

I was doing some tests, and I kept thinking about the fact that wallet recovery requires the insertion of the seed phrase, which usually needs to be done manually on the keyboard, which can lead to several risks:

• Keyloggers can capture keystrokes and compromise your wallet.
• Screenloggers can record the screen while the seed is typed.
• Human error, where the user may type a wrong word.
• In addition to time and practicality.

With that in mind, I decided to venture into building my first Python script, which I named Seed Clicker. It was developed to eliminate these risks by allowing the user to select their seed with just clicks, without having to type any letters on the keyboard.

This script aims to improve the security and privacy of seed recovery in several ways:

• Have a list of all BIP39 words in an organized way, filtered by first and second letter.
• Allows you to select the seed by clicking, without having to type anything on the keyboard.
• Shuffles the order of words to reduce predictable patterns.
• A button to hide the seed, to protect from screenloggers.
• Automatically write to the wallet, after writing the phrase, the script inserts the seed into the wallet automatically.
• It erases data after use, with no words being stored.

I found this script useful as it can help protect against keyloggers since no keys are typed manually. Since the seed is hidden during this process, it protects against screenloggers. It is practical and fast, taking less than 1 minute to choose all the seeds, with the help of filtering that allows you to find words easily. Zero log storage, no files or caches are saved. Furthermore, it is open source, with total transparency, without backdoors or hidden functions.


Script Seed Clicker

Code:

import tkinter as tk
import pyautogui
import time
import string
import random

# Load words from file
def load_words():
    words_dict = {letter: {} for letter in string.ascii_lowercase}  # Create groups A-Z
    try:
        with open("words.txt", "r", encoding="utf-8") as f:
            for word in f:
                word = word.strip().lower()
                if word and word[0] in words_dict:
                    second_letter = word[1] if len(word) > 1 else "#"
                    if second_letter not in words_dict[word[0]]:
                        words_dict[word[0]][second_letter] = []
                    words_dict[word[0]][second_letter].append(word)
    except FileNotFoundError:
        print("Error: The file words.txt was not found.")
        exit()
    return words_dict

# Update buttons organized in 10 columns
def update_buttons(letter, second_letter=None):
    for widget in frame_buttons.winfo_children():
        widget.destroy()

    words = []
    if letter in words_dict:
        if second_letter:
            words = sorted(words_dict[letter].get(second_letter, []), key=lambda x: random.random())
        else:
            words = sorted([word for sublist in words_dict[letter].values() for word in sublist], key=lambda x: random.random())
    
    num_columns = 10
    num_rows = (len(words) // num_columns) + (1 if len(words) % num_columns != 0 else 0)

    canvas = tk.Canvas(frame_buttons)
    scrollbar = tk.Scrollbar(frame_buttons, orient="vertical", command=canvas.yview)
    scroll_frame = tk.Frame(canvas)

    scroll_frame.bind(
        "<Configure>",
        lambda e: canvas.configure(
            scrollregion=canvas.bbox("all")
        )
    )

    canvas.create_window((0, 0), window=scroll_frame, anchor="nw")
    canvas.configure(yscrollcommand=scrollbar.set)

    for row in range(num_rows):
        row_frame = tk.Frame(scroll_frame)
        row_frame.pack()
        for col in range(num_columns):
            index = row + (col * num_rows)
            if index < len(words):
                tk.Button(row_frame, text=words[index], width=8, height=1, padx=2, pady=2,
                          command=lambda p=words[index]: select_word(p)).pack(side="left", padx=2, pady=2)

    canvas.pack(side="left", fill="both", expand=True)
    scrollbar.pack(side="right", fill="y")

# Select word and update display
def select_word(word):
    selected_words.append(word)
    update_seed_display()
    update_counter()

# Remove last word and update counter
def delete_last():
    if selected_words:
        selected_words.pop()
        update_seed_display()
        update_counter()

# Update selected words counter
def update_counter():
    label_counter.config(text=f"Selected Words: {len(selected_words)}")

# Toggle seed visibility
def toggle_visibility():
    global show_seed
    show_seed = not show_seed
    update_seed_display()
    button_toggle.config(text="Hide Seed" if show_seed else "Show Seed")

# Update seed display
def update_seed_display():
    seed_text = " ".join(selected_words) if show_seed else " ".join(["*" * len(w) for w in selected_words])
    label_seed.config(text=seed_text)

# Auto-fill in wallet
def fill_wallet():
    if not selected_words:
        return  
    time.sleep(3)  
    pyautogui.typewrite(" ".join(selected_words), interval=0.1)  
    clear_all()

# Clear all words
def clear_all():
    global selected_words
    selected_words.clear()
    update_seed_display()
    update_counter()

# Create main window
root = tk.Tk()
root.title("Seed Clicker")
root.geometry("800x600")

# Load words and initialize variables
words_dict = load_words()
selected_words = []
show_seed = False

# Create seed display area
label_seed = tk.Label(root, text="", font=("Arial", 12), fg="blue", wraplength=600)
label_seed.pack(pady=10)

# Selected words counter
label_counter = tk.Label(root, text="Selected Words: 0", font=("Arial", 12))
label_counter.pack()

# Button to toggle seed visibility
button_toggle = tk.Button(root, text="Show Seed", command=toggle_visibility)
button_toggle.pack()

# Create letter buttons A-Z
frame_letters = tk.Frame(root)
frame_letters.pack()

for letter in string.ascii_lowercase:
    if words_dict[letter]:
        tk.Button(frame_letters, text=letter.upper(), width=2, command=lambda l=letter: [update_buttons(l), update_second_filter(l)]).pack(side="left", padx=2, pady=2)

# Create second filtering
frame_second_letter = tk.Frame(root)
frame_second_letter.pack()

def update_second_filter(letter):
    for widget in frame_second_letter.winfo_children():
        widget.destroy()
    
    if letter in words_dict:
        second_letters = sorted(words_dict[letter].keys())
        for second in second_letters:
            tk.Button(frame_second_letter, text=second, width=2, command=lambda s=second: update_buttons(letter, s)).pack(side="left", padx=2, pady=2)

# Create word selection area (initially empty)
frame_buttons = tk.Frame(root)
frame_buttons.pack(pady=10, fill="both", expand=True)

# Action buttons
tk.Button(root, text="⏪ Delete Last", command=delete_last).pack()
tk.Button(root, text="🛡️ Fill Wallet", command=fill_wallet).pack()
tk.Button(root, text="❌ Close", command=root.quit).pack()

root.mainloop()

How does it work?
1. Place in the same folder in the script, a file "words.txt" with all the words from BIP39 or others you want.
2. Run the script in Python.
3. The user selects the first letter of the word: The script only shows words that start with that letter. You can apply a second filter by the second letter to make the search easier.
4. Words appear scrambled in a 10-column layout. Whenever you click on a word, all the words are shuffled again.
5. The user selects the words by clicking on them. They appear in a field above, represented only by "****".
6.The number of selected words is displayed.
7. The "Fill in Wallet" button automatically enters the seed into the wallet recovery field.
8. After execution, the seed is erased from memory to avoid any trace.



As mentioned, this was my first Python script. I believe it can be improved, waiting for your suggestions and feedback.

[Hatchy]

I think your post was best on the project development board. Non the less;

your "SeedClicker" script is a brilliant concept that addresses keylogger risks, but I did find one potential flaw. What about users who have added a passphrase to their seed phrase for extra security? and those words may not be listed amongst the BIP39 words, they would still need to type in the passphrase using a keyboard, which could expose them to the keyloggers.

But then I think this issue could be mitigated by integrating voice to text script. This would allow users to input their passphrase securely, without relying on keyboard input. It's not a perfect solution, but it could provide an additional layer of security for users who want to use passphrases.

[joker_josue]

your "SeedClicker" script is a brilliant concept that addresses keylogger risks, but I did find one potential flaw. What about users who have added a passphrase to their seed phrase for extra security? and those words may not be listed amongst the BIP39 words, they would still need to type in the passphrase using a keyboard, which could expose them to the keyloggers.

I thought about that, and that's why the script doesn't have the words directly in it. It searches for words in a txt file, which can contain all the words the user wants. You can have BIP39 words in several languages, you can write your own words, no matter what words are there, the script will recognize them if there is one per line. I believe this ends up resolving this issue.

But then I think this issue could be mitigated by integrating voice to text script. This would allow users to input their passphrase securely, without relying on keyboard input. It's not a perfect solution, but it could provide an additional layer of security for users who want to use passphrases.

Voice input can be interesting, but it has a small but big challenge. It is the system correctly recognizing the voice. Everyone has different accents, we speak different languages, it could become a problem when the system recognizes a different word or doesn't recognize any word at all. This makes the tool more frustrating than useful.

I think your post was best on the project development board. Non the less;

Actually... I moved back there. 

[ABCbits]

I tried it for a bit on Debian and found 2 issue.

1. With default window size (top image), it doesn't show all characters (A - Z). I had to increase the width in order to show all characters (bottom image).





2. There's no mention delay between clicking "Fill wallet" and the script starting to type.

But other than that, i think you're doing great considering it's your first Python script.

[joker_josue]

1. With default window size (top image), it doesn't show all characters (A - Z). I had to increase the width in order to show all characters (bottom image).

I really had the dilemma about the size of the window. Perhaps it is best to set the horizontal size to automatic, so that it ensures that it always shows all the letter buttons.

2. There's no mention delay between clicking "Fill wallet" and the script starting to type.

It actually has a 3 second delay, to allow the user to choose the text field, where the words will be filled in.
Now you gave me the idea of ​​putting a timer counting down to start writing.

[Floxynice]

I think your post was best on the project development board. Non the less;

your "SeedClicker" script is a brilliant concept that addresses keylogger risks, but I did find one potential flaw. What about users who have added a passphrase to their seed phrase for extra security? and those words may not be listed amongst the BIP39 words, they would still need to type in the passphrase using a keyboard, which could expose them to the keyloggers.

I am not savvy in these things. I am just trying to integrate myself by learning as I could. I want to know how vulnerable we are, that we are afraid to type with our own gadgets. Having the Idea that someone is reading the keys I stroke or recording my screen is making me so uncomfortable and scared.

But then I think this issue could be mitigated by integrating voice to text script. This would allow users to input their passphrase securely, without relying on keyboard input. It's not a perfect solution, but it could provide an additional layer of security for users who want to use passphrases.

You mean it is safer to speak out our password than to type it?

[joker_josue]

I am not savvy in these things. I am just trying to integrate myself by learning as I could. I want to know how vulnerable we are, that we are afraid to type with our own gadgets. Having the Idea that someone is reading the keys I stroke or recording my screen is making me so uncomfortable and scared.

If your computer is infected with malware, yes it may be vulnerable. That's why it's recommended to always save the seed offline, preferably in physical format.
Now if your PC, where you have to open your wallet, is a clean and secure system, there is no problem. In the end, everything will depend on your behavior when using your computer.

But this tool can be useful in an extreme scenario where you feel the need to open your wallet in a less viable system. Scripting can help minimize the dangers. You don't eliminate them, but you can minimize them.

[PaulBf1]

I have some experience with python so I wanted to share my take on this. This is NOT a good way to fill in your seed pharse, the best approach is to always use the wallet's built-in recovery process. For a couple of reasons:

1- The main problem is that the script doesn’t actually protect you from the threats you’re trying to guard against (mainly keyloggers). The script uses pyautogui.typewrite() to enter the seed phrase, this method simulates keyboard input, which means:

• It's vulnerable to keyloggers
• The words are sent as plain keystrokes through the operating system
• Any malware monitoring keyboard input can capture these keystrokes

2- The selected words are stored in plain text in the selected_words list in memory. This is a big NO NO, even when the display is "hidden" (showing asterisks), the actual words are still stored in memory unencrypted.

3- I understand how this can go under the radar, but Memory dumps could potentially reveal the seed phrase as the script doesn't properly remove the data. The script uses selected_words.clear() inside the clear_all function to remove the words after each run, but in python this simply only removes the references to the strings, the actual string data remains in memory until garbage collected.

There are other risks of course but these are the main ones. Another one thats worth noting is the protection against screenloggers, the asterisk masking only applies to the final display meaining that the actual word selection process remains completely visible.

Would love to hear some counter arguments regarding the points mentioned by OP.

[PaulBf1]

But then I think this issue could be mitigated by integrating voice to text script. This would allow users to input their passphrase securely, without relying on keyboard input. It's not a perfect solution, but it could provide an additional layer of security for users who want to use passphrases.

No this wont help, this will actually only introduce even more security vulnerabilities and add multiple attack vectors:

• Same memory temporary storage vulnerabilities
• Likely introducing voice pattern analysis risks
• Network transmission interception
• All types of system audio recording malwares
• Audio processing services

TLDR: The most secure approach remains using dedicated hardware wallets or air-gapped devices, not adding more software layers that could be compromised.

[joker_josue]

Would love to hear some counter arguments regarding the points mentioned by OP.

Well, I don't have many counterarguments. As I said it was the first script that worked in python, so what guidance is welcome. Thank you in advance for your points.

While you can think of some scenarios where using script might be useful, it's not relevant to this type of development.

What I can ask is if there is a way to make the script more efficient, bypassing these mentioned points.

[PaulBf1]

Would love to hear some counter arguments regarding the points mentioned by OP.

Well, I don't have many counterarguments. As I said it was the first script that worked in python, so what guidance is welcome. Thank you in advance for your points.

While you can think of some scenarios where using script might be useful, it's not relevant to this type of development.

What I can ask is if there is a way to make the script more efficient, bypassing these mentioned points.

You could find some workarounds to try to mitigate the risks I've mentioned (for example encrypting the plaintext words, proper deletion from memory ect.). But tbh, its better to just stick with the manual input method, if you have to of course. There are more secure ways such as using passkeys ect..

[TryNinja]

You could find some workarounds to try to mitigate the risks I've mentioned (for example encrypting the plaintext words, proper deletion from memory ect.). But tbh, its better to just stick with the manual input method, if you have to of course. There are more secure ways such as using passkeys ect..

Would something like using pyperclip to copy the seed to the clipboard and then simulate a ctrl + v to paste be better than sending the keystrokes? Or same thing? Just some quick thoughts.

Code:

pyperclip.copy(SEED)
keyboard.press_and_release('ctrl+v')

To delete from memory, del selected_words and then call the garbage collector with gc.collect()?

I don't code in python, so I have limited knowledge about all of this.

[apogio]

Good effort, thank you!

just a question. Doesn't electrum already do that? I 've just tried it, to make sure I remembered correctly and the software actually does that. Is it different? I don't have the necessary time to actually test it, so sorry if I am mistaken.

[joker_josue]

Good effort, thank you!

just a question. Doesn't electrum already do that? I 've just tried it, to make sure I remembered correctly and the software actually does that. Is it different? I don't have the necessary time to actually test it, so sorry if I am mistaken.

In the case of Electrum you have to type the words on the keyboard. Maybe other wallets already have an alternative for this.



Thanks for your tips, I'll try to analyze some things to see if I can improve on these points indicated. 

[ABCbits]

Good effort, thank you!

just a question. Doesn't electrum already do that? I 've just tried it, to make sure I remembered correctly and the software actually does that. Is it different? I don't have the necessary time to actually test it, so sorry if I am mistaken.

In the case of Electrum you have to type the words on the keyboard. Maybe other wallets already have an alternative for this.



Thanks for your tips, I'll try to analyze some things to see if I can improve on these points indicated. 

I think @apogio refer to virtual keyboard plugin on Electrum. But from quick re-testing, it only appears when you need to enter password.

[apogio]

I think @apogio refer to virtual keyboard plugin on Electrum. But from quick re-testing, it only appears when you need to enter password.

Hi. In fact I was referring to this:

3. The user selects the first letter of the word: The script only shows words that start with that letter. You can apply a second filter by the second letter to make the search easier.

and I just meant that with electrum you can just type the first letter of the word and it would give you a list to choose the word from.

I realise that you wouldn't totally avoid the keylogging issue, since you 'd have to put the initial letter through the keyboard.

So yeah, it's different in this sense, because in OP's suggestion you click instead of typing.

[Joel_Jantsen]

Would something like using pyperclip to copy the seed to the clipboard and then simulate a ctrl + v to paste be better than sending the keystrokes? Or same thing? Just some quick thoughts.

Provides a bit more secure layer than what OP has to offer but I guess the risk here is placing the seed phrase into the clipboard is globally accessible by other applications. Manipulating/Retrieving clipboard data is supported out of the box by a lot of RATs. Hence, no so secure!

To delete from memory, del selected_words and then call the garbage collector with gc.collect()?

I don't code in python, so I have limited knowledge about all of this.

I wouldn't trust the garbage collector to erase data. They are optimized to allocate/deallocate memory so you're not guaranteed it'll erase stuff immediately as requested. Besides that, won't your code just dereference the memory pointer and not actually delete the data? If this approach should be taken, one you'd be better off accessing the heaps from the operating system. (if hackers are inside your system then can easily access the memory dumps anyway so none of the above is actually secure realistically )