Payment failure status

Today we released a slight improvement to the reports interface: payment failure notices!

Before, you would see displayed on all gifts that haven’t been canceled or completed. However, this was a problem when gifts would fail to recur for some reason. While managers and donors would receive an email informing them of the situation, the interface would continue to say “Active”.

So today we introduced payment failure statuses:

While past payment failures will read “Fail: Unknown”, all new payment failures will have the reason listed in the reports page. Donors will also see this status in their accounts.

As always, donors can update their payment method and the gift will attempt a new installment.

We are planning a large revamp of the reports interface in the near future. Stuff like searching for gifts, filtering by status, managing them from the donor view in Accounts, and more stuff like that. Soon™.

Password Strength

Password Strength

When people are tasked to come up with a good password, often people will take some phrase or their mom’s name, switch a few characters around, and add a special symbol to the end. However, contrary to popular belief, this is actually a really bad password! The purpose of this post is to educate people on what a good password actually looks like. But first, let’s look at what sort of methods crackers use to break into people’s accounts.

Brute force

The brute force method is the one where a cracker will go through every possible combination of characters and check each one against your account. So first they’ll try “a”, and if that doesn’t work, they’ll try “b”, and if that doesn’t work, they’ll try “c”, and so on. And once they run out of letters, they try numbers. And then they try multiple letters: “aa”. I think you get the idea. For short passwords, this method is often effective. However, each additional character increases the amount of time to break the password exponentially.


In this method, an attacker will utilize known passwords (often obtained from a data breach) to try to break into one’s account. As these passwords are known to have been used before, it’s much more likely that another person used it as well. Have I Been Pwned offers a great tool that checks if a password has appeared in a data breach before.

GivingTools automatically checks your password against Have I Been Pwned.

So what is a good password?

A good password is one that is computer-generated. This doesn’t mean the password needs to be hard to remember, rather the password must have a sufficient amount of entropy to be considered secure.

One common method for secure password generation is Diceware. Diceware involves rolling a number of dice (5 or so), and from the results, looking up a word in a public word list. Do this 5 or so times, and you have a 5 word password. Now you may be thinking, if the word list is public, isn’t this susceptible to dictionary attacks? The key thing here is that you picked the words at random, this leaves approximately 1019 different passwords. Checking each one of these would actually turn into a brute force attack and due to the scale, is computationally infeasible.

The key thing to remember is that when you look at a password, you can’t really be sure how secure it is (those password strength meters are lying to you). We assume the attacker knows how the password was generated, be that Diceware or a password manager. What’s important is that there was a sufficient amount of entropy put into the generation algorithm. Usually around 20 bits is considered the bare minimum for password security, but more bits is always better!

So if you think you have a good password, try typing it into HIBP and you might be surprised! (Normally I wouldn’t recommend typing your passwords into another site, but this is the one site you can trust :).)

Passwordless Giving, No Captcha Checkouts, and More!

Today, we released a complete redesign of the GivingTools checkout experience. Not only will donors no longer have to enter a password to make donations, but they also won’t have to select road signs from a bunch of pictures!

What we’ve done: we’ve merged the second and third steps of the checkout experience into one step. In this new, consolidated step, donors fill out your custom fields, enter their email address, provide billing details, and select their payment method. They can also review their donation finally before hitting the checkout button.

No password is needed, not for the first gift, the seond, or the 200th. You will still need a password to access your account history, though. This update will add a new level of convenience that many have requested without reduction of the security of your data. In fact, your data is more secure through our passwordless system than using the old system!

We’ve also removed the captcha requirement. Instead of prompting every donor to pick out road signs, we created what we like to call the “Advanced Fraud Detection System.” While its implementation details are a trade secret, what we can tell you is that if it detects a bad guy, it’ll make them mine cryptocurrency! Furthermore, this tactic is easily scaleable. The more “badness” it detects, the more computational power will be required to continue. We hope that this method will ensure that legitimate donors will never have to complete a captcha and will experience a more streamlined checkout experience.

Previously, a donor’s account could only have one recurring payment method. This caused concern as manually entering a recurring gift would end up overwriting the donor’s existing recurring payment method. Furthermore, we required donors to log in first to prevent anyone from overwriting the donor’s account. To solve this problem, we added the ability for each gift to designate its own payment method. This allows manual entered gifts to use a separate payment method as well as allowing anyone to make a gift and not risk modification of the donor’s account.

With this update, we’ve also added the long-awaited recurring receipts! For each installment of a gift, the donor will receive a receipt outlining the gift’s history, total billed, and the tax deductible amount.

More convenience. Higher security. We’re working hard to constantly improve GivingTools, and we appreciate your feedback!


Securing your Organization’s Website

You should get a TLS (SSL) certificate for your organization’s website if you don’t already have one. While the embedded portal to GivingTools is done over a secure connection, crackers can still perform a man-in-the-middle attack and steal donor information. Additionally, starting in July 2018, Chrome will label all sites as “Not Secure” unless you have a TLS certificate. This will be very bad for contributions when donors see a big red “Not Secure” warning on your website.

To combat this problem, we highly recommend our customers get a TLS certificate for their websites. In the past, certificates could cost an upwards of several hundred dollars per year. But since early 2016, Let’s Encrypt, a non-profit, has been providing free (really!) TLS certificates.

Your first step would be to talk to your hosting provider. Ask them if they provide free TLS certificates. Reputable providers that care about security will usually provide these for free. A list of providers that support Let’s Encrypt can be found here.

If your service provider doesn’t offer free TLS certificates, it may be possible to use Let’s Encrypt directly. We suggest you talk with your IT professional, if you have one. There are some great instructions over on their website.

If you don’t have an IT person, the third option would be to use Cloudflare. On Cloudflare’s free plan, they not only provide free TLS certificates, but they also provide free DDoS protection and many other benefits. Troy Hunt, a well-known security expert, has made a free guide on

As usual, if you have any issues setting this up, don’t hesitate to contact us by email:

New Features and Stability Enhancements

The past few weeks have been quite busy. Among other things, we have enhanced the CSV export functionality as well as redesigned our recurring gift subsystem.

Enhanced CSV Export

On your Reports page, you will see that we’ve replaced the CSV link with this fancy Export button:

Pressing the button will bring up a new Export dialog. This gives you the option to specify the payment method, mode of export, the range of dates you would like to include. Selecting the appeal can be done above the graph on the reports page.

The Mode setting may be a bit confusing, allow me to explain.


In this mode, each row in the CSV export will represent a single gift. If the gift is one-time, there will only be one row. If recurring, all installments to that gift will be consolidated into one row under the Received Events column.


This mode is probably more familiar. Here, each row in the CSV export will represent a single payment. For a one-time gift, there will only be one row (as before), but for recurring, installments will be spread out over several rows.

Redesigned Recurring Gift System

Since the launch of GivingTools 2.0, some of our customers  experienced issues with recurring gifts—gifts would fail to recur, be prorated, or bill several installments at once. We dealt with this as reported, but sought a systemic solution to enhance the reliability of our system.

In the past few weeks, we’ve completely rebuilt our recurring gift system from the ground up. We’ve been monitoring the system since its launch, and we’re quite happy with the results. Not only has this new system fixed these issues, but it will also allow additional features such as:

  • The ability for second-time donors to donate without a password—this has been a major concern for many of our customers, and we hear you!
  • Being able to associate a recurring gift with a specific payment method instead requiring them to all use the same payment method.
  • Improved error reporting for card expiration and replacement.

These features will start rolling out over the next several months.

And of course, we’ve done a TON of minor enhancements and stability improvements all over the place. If you have an idea on a feature that you’d like to see, just let us know.

Manual Entry Without an Email Address

Here’s the situation:

You want to manually enter a donation you received by check—so that the donor gets a receipt and so that you can track this person’s giving.

You click the Manual Gift Entry button in your dashboard. But there’s a problem! You don’t have the donor’s email address, and the system requires a real email address! Here’s what we recommend…

Use your email address with a “+donor_name” before the @ sign. So, let’s say your email address is “” and the donor’s name is Mary Jane. Simply enter this as the email address:

As mail providers will typically forward everything from “” to “”, you are able to keep track of the donors separately in GivingTools while still sending receipts to a legitimate address! (In this case, your own.)

As you now have access to that donor’s personal account, if you ever figure out what their real email address is, you can login as the donor, go to their account, and update the email.

Transparent Embeds

Update July 2018: This post is outdated. To change the style of your forms, use the embed wizard instead.

GivingTools online giving enables you to embed forms into your website, making them look like a part of your site. To do it, you use a code snippet found in your dashboard under the Giving Form you wish to embed. That code is great for most sites, providing a scalable and attractive presentation that looks great.

However, if the background of your site is not white, the white form looks a little less native. With a little editing of the embed code, though, you can make your embedded appeal do this:

How? Simply add one of these bits of code to the end of the embed code:

  • For a opaque background (white), grey-ish text: ?style=normal (this is the default mode so `normal` isn’t required)
  • For a transparent background, white text (as demonstrated above): ?style=bg-transparent–fg-white
  • For a transparent background, black text: ?style=bg-transparent–fg-black

You would want to add “?style=bg-transparent–fg-white” to the end of the embed code GivingTools provides. For example:

<iframe id="gtEmbedFrame_1" src="" style="border:0; width:100%;"></iframe>
<script src="" integrity="sha256-kjBnXrBNDceEMg278ZjsCUEJ8VrWP2Tp158N9u7Yhdk=" crossorigin="anonymous" onload="iFrameResize({}, '#gtEmbedFrame_1');"></script>

And transparent background or not, don’t forget to snag a security certificate for the page you embed on. Get one free here.

Capital Campaign?

If you are planning a capital campaign, try out our “Campaign Pledge” appeal type. You’ll find it in your dashboard under Appeals. This appeal type enables donors to make a total pledge and then set up regular payments to fulfill it.

Interested in a robust capital campaign website? We also offer those…and we can drop your campaign pledge appeal right into a campaign website.

To learn more about why a capital campaign website may be a wise idea, visit this article.

Compatible Browsers

To ensure a secure environment, our service has built-in tools to warn users if their browser is out-of-date and provides a simple link to update it. This table shows what browsers are supported and which are not. For the most part, if your browser is younger than about five years old, you’re fine.