If you arrive directly at https://seedpicker.net/calculator/last-word.html (say from an external link like my guide), there's no github link (like there is in the footer of https://seedpicker.net/).

I tried some seedphrases in the BIP39 standard word lists and it seems like no other language besides English is supported.

That should be fixed, I think, because other languages are part of the standard too

I would like to use this for generating a 12 word seed for a hardware wallet. Can you make a version for that?

Steps to reproduce:

1. http://seedpicker.net/calculator/last-word.html?network=testnet
2. Input abandon 23x: abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon
3. Seedpicker appends art to the mnemonic (correct) and produces this result:
   Extended Public Key in Vpub format (Testnet P2WSH) Vpub5ncJ4gVToMcTWjG4shBZHeeCUXhX5r86W9cwggqw1m6aojbrHxr9yJFsoXaiXrBfAzV3TaVyxCB6EYUW21SVayfcAhiVc9XRJS1WL4Gh9td

This is incorrect, the Vpub should be Vpub5mLhmUp7c2mbtewB1ABALt1JhoCTuZU1aAhEBNUkAA1QzbzX4rg7PzupkWvuBs6yeM46z8QV2GfraXoHKw8dzVtnNW4zkHZBiqtBUKyCMeF

How to verify this Vpub:

1. https://iancoleman.io/bip39/
2. Enter abandon 23x with art on the end: abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon art
3. Select BTC - Bitcoin Testnet, then click on the BIP141 tab towards the bottom.
4. Enter m/48'/0'/0'/2' under BIP32 Derivation Path and select P2WSH (1-of-1 multisig) under Script Semantics - hackey, but that's what corresponds to what we're calculating. See here for more.
5. See that BIP32 Extended Public Key is Vpub5mLhmUp7c2mbtewB1ABALt1JhoCTuZU1aAhEBNUkAA1QzbzX4rg7PzupkWvuBs6yeM46z8QV2GfraXoHKw8dzVtnNW4zkHZBiqtBUKyCMeF.

See https://www.reddit.com/r/Bitcoin/comments/aei1qr/seedpicker_here_to_help_you_create_your_own_seed/edplezd

As discussed in btcguide/btcguide.github.io#7, users who want to create a key for Specter Desktop should not have to click on the "Show more"-button.
The page should be reorganized with that in mind.

That the info for testnet/mainnet is displayed differently is going to confuse normal users trying to practice on testnet, which is something that is highly recommended before creating a multisig scheme.

I've been making a few tests with incomplete seedphrases and checking the checksum with seedpicker is faster than calculating it myself.

However, I'd very much like to see seedpicker work with at least 11 word passphrases, possibly other lengths too

The current implementation of seedpicker only allows a user to choose 253 of the 256 bits of potential entropy used. It should allow the user to choose all 256 bits. GUIDE.md states:

The last word of a 24 word seed is a checksum word, calculated using the other 23 words as input.

This is not correct. The last word of a 24 word seed contains three bits of entropy and eight bits of checksum. This last word is not a checksum word, but rather contains the checksum (over 25% of the last word is entropy). Now this may seem all rather pedantic, but since one of the main purposes of this project seems to be to allow the user to create their own entropy seed, shouldn't it allow the user to create the entire seed?

I have a good appreciation that I am speaking of only three bits out of 256 and how insignificant that is to the secure functioning of ECDSA. However, this is very slippery slope. For example, I also have a good appreciation for how little 11 bits out of 256 is. That being true, maybe seedpicker should only ask the user for 22 words. Or maybe 21 words. You see where I'm going.

Hello everyone.

I have one question, is it possible to generate the 24th, the checksum word, without a computer? I am asking this because I am thinking about the possibility of creating a wallet whose private key was never connected to a computer, maybe to a SeedSigner or a Krux.

Thanks and regards.

Creating a new issue because #30 has become a mono-issue beast!

Currently, if you want to use seedpicker on testnet (as everyone should before using it for real), you either have to know this (semi-secret) URL, or do the following steps:

1. Enter 23 words (or easier hit Generate sample)
2. Hit Calculate
3. Hit Show more
4. Hit switch to testnet (and then re-enter your 23 words)

Testnet is a fantastic free resource that you can use with a faucet (no need to touch your real BTC), and as bitcoin fees increase it will only get comparatively more valuable. Cobo Vault recently added support for testnet and all other multisig wallets do, so I'm going to update my guide to recommend users start with testnet.

Recommendation: have some sort of toggle for testnet/mainnet before/separate from entering 23 words. It could be in the header, footer, near the calculate button, or somewhere else.

I could even see a version in the future where you disable the sample generation feature on mainnet only, but obviously that's another story altogether and I don't have a strong opinion there. All I can say is that I haven't audited the RNG implementation and like that I don't have to :)

Not strictly needed if you're building from source, but it does (rightly) shock some people.

Will want to do this in a way that's compatible with Specter-Desktop.

From @stepansnigirev here:

Regarding QR codes - the same as for text - [xfp/derivation]xpub should work fine. Also, all json-like formats that Cobo Vault uses, but I am more a fan of simple plaintext for that. If you want to encode more than one xpub in the QR code you can separate it with \n and Specter will understand that.

It turns out this is required for interoperability with Coldcard as well as Spectre.

The easiest way to do this now is as follows, but it's obviously sketchy (destroys much of the security benefit of seedpicker!):

1. Calculate last word for abandon repeated 23x here (will correctly return art):
   http://seedpicker.net/calculator/last-word.html
2. Open up an Electrum console and input 24 words into this script:

>> from electrum import keystore
>> ks = keystore.from_bip39_seed("abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon art", passphrase="", derivation="m/48'/0'/0'/2'")
>> ks.get_root_fingerprint()
'5436d724'

Code snippet on how to calculate root fingerpint here:
https://github.com/spesmilo/electrum/blob/9d0bb295e6f55a2bff9f5b6770fa744c16af6e8a/electrum/keystore.py#L685-L690

This one may be easier to read:
https://github.com/lyndsysimon/bip32utils/blob/56f5a56d1c54e648f35b670a87efabbca08fffae/bip32utils/BIP32Key.py#L244-L266

Maybe for UX purposes, you'd want to hide this behind Show more (for advanced users)?

From btcguide/btcguide.github.io#7

Some ideas:

Option A: Easiest solution

A string of text for copy-pasting. Specter uses a somewhat bizarre format that is:
[xfp/path]slip132pub)
like this:
[083AA3DB/48h/0h/0h/2h]Zpub75b...bhK (they also accept 48'/0'/0'/2' but I think ' is harder than h for humans)

Notice that path has no leading m/

Option B: JSON File (to download)

A .json file that Specter can understand as it's one less step that users can mess up:

{
    "xfp": "083AA3DB",
    "p2wsh": "Zpub75X6f85rTN5uUwonxhEbVWe1HGd1kevff2nx9DMBHgp9R9mto2PgASkeqRs42w5fyT1MN9XG89VoDpx5sZSaB4yUJwaXd7ixVsX1FssYWxG",
    "p2wsh_deriv": "m/48'/0'/0'/2'"
}

A good name for this file would be seedpickerxp-083AA3DB.json as coldcard uses ccxp-083AA3DB.json

Option C: QR Code (to scan)

This would also be good, but I need to research the Specter format.
There are many use-case where you wouldn't do this though (perhaps you generate offline and burn to DVD for example).

I think the best choice is Option B for now (as it's the lowest common denominator), with the goal to add a QR code soon?

SeedPicker is not meant to be used primarily on mobile devices but people should be able to check it out on their phones or tablets.
To get the tooltips on the site (the circular question marks), the bulma extension bulma-tooltip has been used.
Works perfectly on all tested platforms except Safari on IOS (Iphone and Ipad). The tooltips show up but don't go away until you click another question mark or the input field...

Strangely IOS Safari behavior is good on the official demo, so I can't see why it doesn't work well on SeedPicker.

The 24th word contains 3 bits of entropy and 8 bits of checksum. When computing the 24th word, those 3 bits of entropy are always set to 0. They should be set randomly for maximum security.

Given the 23 words randomly selected, show all words that makes the seed valid, so people can pick one from it randomly and have more transparency in the whole process of seed creation.

See Coldcard's Seed XOR. Scroll to Resulting Seed Phrase.

If you input the Resulting Seed Phrase silent toe meat possible chair blossom wait occur this worth option bag nurse find fish scene bench asthma bike wage world quit primary in Seedpicker, the 24th word is "all". The output of ColdCard's 24th word is "indoor". This is confusing for users who try to verify their seed.

Suggestion
At this moment Seedpicker automatically picks the alphabetically 1st outcome as discussed here and here and here which is the most user friendly and error avoiding way.
But for SEED XOR users it might be confusing, because (1) you'll have to find out that there more checksums possible and (2) that Seedpicker always picks the first. Suggestions:

• Let users select from all possible checksums where you label the first option as "default" or "recommended by Seedpicker" and after selection generate the xpub page.
• Explicitly state on homepage that there are more possible checksum values and that Seedpicker picks 1st.
• Output the other Alternative checksums in the "advanced section" where you make the checksums clickable so that if a user clicks it, it generates the xpub page.
• Provide a separate file with which advanced users can generate all checksums.

The last word calculator (https://seedpicker.net/calculator/last-word.html) is great and ultimately what I'd guess almost all of the people who arrive at seedpicker are trying to use. I think it would be a better homepage, and the current https://seedpicker.net/ might be better suited for something like https://seedpicker.net/calculator/instructions.html.

Put differently: a UX this good doesn't require you to first read the manual :)

You could still link to the instructions from the last word calculator (as you currently do).

IN ORDER TO calculate the Extended Public Key(s) of an existing 24 word seed.
AS A user who already has obtained a 24 word seed elsewhere and want to use it in an Electrum multisig scheme.
I WANT to enter my 24 words into the field and be presented with the resulting Extend Public Keys

There are 3 different multisig schemes that Electrum supports (p2sh, p2sh-wrapped-p2wsh, and p2wsh). You've implemented p2wsh (best choice), but that's going to be confusing to end users.

Since what you've implemented is called native segwit multisig (p2wsh) on Electrum, I'd recommend you add that copy.

Perhaps change to something like this?
Extended Public Key in Zpub format (Suitable for use in an Electrum Multi-signature scheme)
->
Extended Public Key in Zpub format for Electrum's native segwit multisig (p2wsh)

Hi,

There's an error in your raffle tickets. T231 is just labeled 31.

Best,

This tool is smart about checking that each word is in the BIP39 wordlist, but then seems to allow spaces to affect its calculation.

I didn't test leading space, but I suspect it would have the same problem.

cc @merland since this one is potentially quite serious.

IN ORDER TO transfer the Extended Public Key from the airgapped computer without using pen and paper (big risk of making a mistake)
AS A user setting up a multisig scheme
I WANT to see a QR representation of the Extended Public Key on the screen

Why only 11 or 23 words? https://iancoleman.io/bip39/ also allows 14, 17, or 20 words.

I could see an argument for only supporting 23 words, but if you're going to allow for less secure mnemonics, more choice seems only better.

Burying everything but 23 words in an advanced section makes a lot of sense.

It would be helpfull to have a tagged release in order to be sure what has been the status at a specific point in time.

abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon abandon

I'd expect tpubDFkN51vYF36W4Yfn3wGv5fpmRo3ok7vZZjc1gmRJjumq33L776e6GkP4HGdCVjDqYiBahXCrXQKja8aUZ2xovQNS8WkF46MdY7TLHJLYD7H to be displayed (or at least a way to see that somewhere on the screen without using this tool.

Suggest / request to make the pdf into a markdown file, so it can be easily iterated on right here on github, and for easier change tracking.

Maybe GUIDE.md is a suitable filename.

The tables probably can't be in markdown, or are hard to handle, but they can be saved in this repo as .PNG or .SVG and inline included.

TEST: afterwards, verify that printing "just works"

From a security point of view, loading a pdf from anywhere can be risky. And this .pdf will be loaded by coin owners and might become a target. Comparing pdf versions is also hard to do, losing change tracking.

The raffle cut out mislabels T80 as T81 leading to a duplicate of T81

hacks and takeovers of old domains happens all the time. Engines like duckduckgo are fairly free of tracking, and supplies some added security against typosquatters. Apart from safety it is also easier to not make mistakes by typing in search words and verifing the resulting URL, than typing the url directly. In the average case.

As mentioned in #30, the Generate sample (only for testing) feature should come with an extra warning, to make it really clear to the user that SeedPicker should only be used for substantial amounts when they have provided the entropy themselves.

While many words can serve as a checksum, the fact that a user who hits the Calculate! button twice will likely see two different results is very dangerous.

How this can cause loss of funds:

1. User goes to http://seedpicker.net/calculator/last-word.html, enters their 23 words, and hits Calculate!
2. User copies down Zpub to Electrum. It works and the user thinks they're doing everything correctly. They follow the next few steps on Electrum, perhaps say configuring their hardware wallet(s).
3. User remembers they need to write down their entire mnemonic (including checksum word) on a piece of paper, USB, cryptosteel, etc.
4. User assumes that the calculation is deterministic and instead of finding their old website tab (perhaps they even closed it), the user enters their 23 words into a new instance of this webpage.
5. Webpage generates a different 24th word which they copy down to their cryptosteel, but the user is unaware that this does not match the Zpub they previously used in their Electrum multisig construction.

Years later, the user goes to use this key in recovery (perhaps another key was lost) and discovers that the seed they wrote down doesn't have access to their funds (which was the whole point of using this tool)! While it is theoretically possible for them to then try all the different valid 24th words, they don't know to do this and lose their life savings :(

Obviously, there is a competing argument that using some deterministic scheme slightly reduces the entropy of their seed. If you think more critically, you realize this reduction is very small (and any motivated attacker with a script could brute-force these few possibilities). When weighted against the risk of loss of funds, this tradeoff seems very worthwhile. To mitigate this, I recommend the following:

1. Default to 23 words (not 11). Adding more entropy mitigates this problem.
2. Link to this issue (or write your own copy and/or link to somewhere else on the internet) and explain how the checksum is calculated.
3. In the advanced section, show all the other potential words that were not chosen. Very advanced users could figure out how to make this work for their use-case.

My suggestion is to use the alphabetical first valid word. The alphabetical last word would also be a good choice.

There are other derivation schemes that future multisig tools may use, and the derivation path with SLIP132 is a uniquely Electrum implementation. It's currently the leading standard for multi hardware wallet multisig, but that's probably because it's the only decent GUI for sovereign end-users. With HWI and several multisig companies using their own scheme, I wouldn't be surprised if there are more future standards.

Another option would be to add support for advanced users to toggle every option: let users generate their own derivation path, pick their own SLIP-132 version bytes (p2sh, ps2h-wrapped segwit, p2wsh), pick their network (mainnet/testnet), etc. To me that would be a very cool for advanced users, but is less useful for 99% of normal users who are more likely to be confused and make a mistake.

IN ORDER TO securely obtain the XPUB of the seed, and then write it down on a piece of paper
AS A user who is in the process of generating a secure seed
I WANT the last word calculator to also calculate the seed's XPUB and display it.

Rationale: If you have a securely generated seed and its corresponding XPUB, you can use this as an additional factor in a multifactor scheme, without having to buy an additional hardware wallet.

Possible next steps:
Display the derivation path
Display the XPUB as QR

Thanks to @mflaxman for this feature request!

Currently, a user using a small window has to scroll manually to see the results.
This behavior works for works for Show More, but the Calculate button is more tricky (due to the spinner I think)

SeedPicker is now incorporated in both the SeedPicker guide and the 10x Bitcoin Security Guide.
The caution text urges the user to read the SeedPicker guide only. The user should be presented with both options.