Expanded Connectivity and Export Options

We’ve been working to create more connectivity with popular platforms and to offer additional data export options.

Here’s the run-down:

In Export, select the format called “Quickbooks” for a Quickbook-friendly database export.

In Export, select the format called “MailChimp”. You can select the appeal, dates, and amount ranges to export contact infor for donors that fit your criteria.

Attendee List
If you would like to snag a list of attendees for an event appeal, select the “Attendee List” format in Export.

Deposit Information
Would you like to know when your donations were deposited in your bank account? Simply view all your history, then click Export. Select the “Include Deposit Information” option. Your export will now include the date each gift was deposited and the total amount of the batch it was included in.

Coming Soon: Salesforce
We are deep into a direct integration with Salesforce. Once completed, you will be able to automatically sync your GivingTools activity to Salesforce.

Zapier is a popular connectivity platform that enables you to connect GivingTools to a host of other platforms that are Zapier-compatible. This is a do-it-yourself option, if you want to make a connection that we do not overtly offer. To access this option, visit Help in your dashboard, click Zapier in the navigation, and click to gain access.

GivingTools Now Offers Free Text to Give

We’re pleased to announce that text to give is now offered on the GivingTools platform.

This new feature is easy to use…and we are providing it at no additional cost to our customers.

To activate text to give, simply scroll down to the Short Code section of your giving page (or edit any giving form and scroll to the Short Code section). There, you can enter a short code for your giving page or giving form. You can also customize the text message that donors receive.

To use text to give, your donors simply text the short code to the toll-free number. They then receive a texted reply that shows your text message, along with a link that takes them directly to your giving page or form. It’s that easy!

Google Analytics integration!

Many of you have been asking for it, and now we have it. Last month, we added support for using Google Analytics on your giving pages and forms!

All you have to do is get your Google Analytics tracking ID (which will look similar to this: UA-XXXXXXXX-X), and put it in the new section of the settings page.

That’s it! Once you’ve added the tracking ID, you should start seeing visitors in your Google Analytics account.

Payment failure status

Today we released a slight improvement to the reports interface: payment failure notices!

Before, you would see displayed on all gifts that haven’t been canceled or completed. However, this was a problem when gifts would fail to recur for some reason. While managers and donors would receive an email informing them of the situation, the interface would continue to say “Active”.

So today we introduced payment failure statuses:

While past payment failures will read “Fail: Unknown”, all new payment failures will have the reason listed in the reports page. Donors will also see this status in their accounts.

As always, donors can update their payment method and the gift will attempt a new installment.

We are planning a large revamp of the reports interface in the near future. Stuff like searching for gifts, filtering by status, managing them from the donor view in Accounts, and more stuff like that. Soon™.

Password Strength

Password Strength

When people are tasked to come up with a good password, often people will take some phrase or their mom’s name, switch a few characters around, and add a special symbol to the end. However, contrary to popular belief, this is actually a really bad password! The purpose of this post is to educate people on what a good password actually looks like. But first, let’s look at what sort of methods crackers use to break into people’s accounts.

Brute force

The brute force method is the one where a cracker will go through every possible combination of characters and check each one against your account. So first they’ll try “a”, and if that doesn’t work, they’ll try “b”, and if that doesn’t work, they’ll try “c”, and so on. And once they run out of letters, they try numbers. And then they try multiple letters: “aa”. I think you get the idea. For short passwords, this method is often effective. However, each additional character increases the amount of time to break the password exponentially.


In this method, an attacker will utilize known passwords (often obtained from a data breach) to try to break into one’s account. As these passwords are known to have been used before, it’s much more likely that another person used it as well. Have I Been Pwned offers a great tool that checks if a password has appeared in a data breach before.

GivingTools automatically checks your password against Have I Been Pwned.

So what is a good password?

A good password is one that is computer-generated. This doesn’t mean the password needs to be hard to remember, rather the password must have a sufficient amount of entropy to be considered secure.

One common method for secure password generation is Diceware. Diceware involves rolling a number of dice (5 or so), and from the results, looking up a word in a public word list. Do this 5 or so times, and you have a 5 word password. Now you may be thinking, if the word list is public, isn’t this susceptible to dictionary attacks? The key thing here is that you picked the words at random, this leaves approximately 1019 different passwords. Checking each one of these would actually turn into a brute force attack and due to the scale, is computationally infeasible.

The key thing to remember is that when you look at a password, you can’t really be sure how secure it is (those password strength meters are lying to you). We assume the attacker knows how the password was generated, be that Diceware or a password manager. What’s important is that there was a sufficient amount of entropy put into the generation algorithm. Usually around 20 bits is considered the bare minimum for password security, but more bits is always better!

So if you think you have a good password, try typing it into HIBP and you might be surprised! (Normally I wouldn’t recommend typing your passwords into another site, but this is the one site you can trust :).)

Passwordless Giving, No Captcha Checkouts, and More!

Today, we released a complete redesign of the GivingTools checkout experience. Not only will donors no longer have to enter a password to make donations, but they also won’t have to select road signs from a bunch of pictures!

What we’ve done: we’ve merged the second and third steps of the checkout experience into one step. In this new, consolidated step, donors fill out your custom fields, enter their email address, provide billing details, and select their payment method. They can also review their donation finally before hitting the checkout button.

No password is needed, not for the first gift, the seond, or the 200th. You will still need a password to access your account history, though. This update will add a new level of convenience that many have requested without reduction of the security of your data. In fact, your data is more secure through our passwordless system than using the old system!

We’ve also removed the captcha requirement. Instead of prompting every donor to pick out road signs, we created what we like to call the “Advanced Fraud Detection System.” While its implementation details are a trade secret, what we can tell you is that if it detects a bad guy, it’ll make them mine cryptocurrency! Furthermore, this tactic is easily scaleable. The more “badness” it detects, the more computational power will be required to continue. We hope that this method will ensure that legitimate donors will never have to complete a captcha and will experience a more streamlined checkout experience.

Previously, a donor’s account could only have one recurring payment method. This caused concern as manually entering a recurring gift would end up overwriting the donor’s existing recurring payment method. Furthermore, we required donors to log in first to prevent anyone from overwriting the donor’s account. To solve this problem, we added the ability for each gift to designate its own payment method. This allows manual entered gifts to use a separate payment method as well as allowing anyone to make a gift and not risk modification of the donor’s account.

With this update, we’ve also added the long-awaited recurring receipts! For each installment of a gift, the donor will receive a receipt outlining the gift’s history, total billed, and the tax deductible amount.

More convenience. Higher security. We’re working hard to constantly improve GivingTools, and we appreciate your feedback!


Securing your Organization’s Website

You should get a TLS (SSL) certificate for your organization’s website if you don’t already have one. While the embedded portal to GivingTools is done over a secure connection, crackers can still perform a man-in-the-middle attack and steal donor information. Additionally, starting in July 2018, Chrome will label all sites as “Not Secure” unless you have a TLS certificate. This will be very bad for contributions when donors see a big red “Not Secure” warning on your website.

To combat this problem, we highly recommend our customers get a TLS certificate for their websites. In the past, certificates could cost an upwards of several hundred dollars per year. But since early 2016, Let’s Encrypt, a non-profit, has been providing free (really!) TLS certificates.

Your first step would be to talk to your hosting provider. Ask them if they provide free TLS certificates. Reputable providers that care about security will usually provide these for free. A list of providers that support Let’s Encrypt can be found here.

If your service provider doesn’t offer free TLS certificates, it may be possible to use Let’s Encrypt directly. We suggest you talk with your IT professional, if you have one. There are some great instructions over on their website.

If you don’t have an IT person, the third option would be to use Cloudflare. On Cloudflare’s free plan, they not only provide free TLS certificates, but they also provide free DDoS protection and many other benefits. Troy Hunt, a well-known security expert, has made a free guide on HTTPSIsEasy.com.

As usual, if you have any issues setting this up, don’t hesitate to contact us by email: support@givingtools.com

New Features and Stability Enhancements

The past few weeks have been quite busy. Among other things, we have enhanced the CSV export functionality as well as redesigned our recurring gift subsystem.

Enhanced CSV Export

On your Reports page, you will see that we’ve replaced the CSV link with this fancy Export button:

Pressing the button will bring up a new Export dialog. This gives you the option to specify the payment method, mode of export, the range of dates you would like to include. Selecting the appeal can be done above the graph on the reports page.

The Mode setting may be a bit confusing, allow me to explain.


In this mode, each row in the CSV export will represent a single gift. If the gift is one-time, there will only be one row. If recurring, all installments to that gift will be consolidated into one row under the Received Events column.


This mode is probably more familiar. Here, each row in the CSV export will represent a single payment. For a one-time gift, there will only be one row (as before), but for recurring, installments will be spread out over several rows.

Redesigned Recurring Gift System

Since the launch of the GivingTools online fundraising platform 2.0, some of our customers experienced issues with recurring gifts—gifts would fail to recur, be prorated, or bill several installments at once. We dealt with this as reported, but sought a systemic solution to enhance the reliability of our system.

In the past few weeks, we’ve completely rebuilt our recurring gift system from the ground up. We’ve been monitoring the system since its launch, and we’re quite happy with the results. Not only has this new system fixed these issues, but it will also allow additional features such as:

  • The ability for second-time donors to donate without a password—this has been a major concern for many of our customers, and we hear you!
  • Being able to associate a recurring gift with a specific payment method instead requiring them to all use the same payment method.
  • Improved error reporting for card expiration and replacement.

These features will start rolling out over the next several months.

And of course, we’ve done a TON of minor enhancements and stability improvements all over the place. If you have an idea on a feature that you’d like to see, just let us know.

Manual Entry Without an Email Address

Here’s the situation:

You want to manually enter a donation you received by check—so that the donor gets a receipt and so that you can track this person’s giving.

You click the Manual Gift Entry button in your dashboard. But there’s a problem! You don’t have the donor’s email address, and the system requires a real email address! Here’s what we recommend…

Use your email address with a “+donor_name” before the @ sign. So, let’s say your email address is “Bob@amazingnonprofit.org” and the donor’s name is Mary Jane. Simply enter this as the email address:


As mail providers will typically forward everything from “me+somejunk@xyz.com” to “me@xyz.com”, you are able to keep track of the donors separately in GivingTools while still sending receipts to a legitimate address! (In this case, your own.)

As you now have access to that donor’s personal account, if you ever figure out what their real email address is, you can login as the donor, go to their account, and update the email.