Sunday, February 20, 2011

Security updates

We've been busy rolling out some new updates including some security enhancements - no passwords are stored on our site or emailed to users. We are using a neat hashing system which includes a per-user salt and purposely introduced collisions to make recovering a password highly unlikely (you must now follow an email link to reset your password). With some recent media reports of other major websites having their databases hacked and leaked publicly, we decided that with a good chance a lot of our users re-use passwords for PayPal or email accounts, we should make reversing our hashes as difficult as possible - which is why we're only storing partial hashes making a brute force password guessing attack less successful. Combined with incremental timeouts for incorrect passwords, and 128 bit SSL encryption of logins, we think our secure account system is the standard all sites should strive to meet.

Sunday, February 6, 2011

PayPal tracking issues with IPN

We've received a few reports over the weekend of the Profile based IPN setting overriding the transaction based IPN notify_url which is set automatically by

Normally the notify_url variable passed in a buy or donate button should override any profile set IPN url. If you are having issues with Donations not tracking - you can check the PayPal History section's IPN History to see the IPN URL used for past transactions, and to correct this issue - delete any Profile IPN setting and set the IPN to off to allow the transaction based one used by DonationsTracker to function.