Game Matchmaking Password Security Question

I am working on a matchmaking system and there are private games. In order to join these games, you have to put in a password that is created by the games host. So the games host makes a game and makes the password “GoGoPowerRangers.” The client would then put a password in and if it’s right they can join. I know you cannot trust the client, but since the password is a random password that is user generated, would a hacker be able to get into the game?

Anyone would be able to get into the game if they bruteforced the password. But depending on how difficult the password is that could take thousands of years.

The real question is how are you gonna sanitize input from the player while keeping to the requirements of the chat filter as you allow players to enter and share custom passwords. Other than that, I doubt an exploiter would be able to exploit their way into a server. And even if they did you should have some sort of check in place to kick them.

1 Like

Store the password on the server, only get password input from the client. Do the comparison on the server and teleport if comparison returns true.

While making secure systems on Roblox, we assume that the client is always a hacker who can never grant access to the server.

4 Likes

Grab the inputted password from the client, send to and verify in the server.

You could lock it the users Id of that input the wrong pass too many times aswell.

To the other people that replied. I am getting input from the client, and checking with the server and if they match they go into the game. Thanks for the idea of kicking unwanted players I forgot about that. The host will be able to kick unwanted players if they choose. As for the chat filter, when the host sends a message to the server saying they want the password it will filter it and store the password. The host can change the password anytime they want so if they see '##########" they can change it.

I am not filtering the players input for the password (the person trying to join.) because nobody is ever going to see what they tried to put in.

1 Like

Simply put a maximum attempt limit, to prevent bruteforce exploiting.

I think a reasonable cap would be 10, since anyone who really knows the password will gte it easily in the first or second try.

so like

local maxtries = 10
local tries = 0

function try(enteredtext)
tries = tries + 1
if enteredtext == password then
-- let em in
end
if tries > maxtries then
-- kick the player
end
end