Making games more secure

does this secure my game?

LocalScript

wait(3)
-- Hacker
game.ReplicatedStorage.RemoteEvent:FireServer(11894178)
wait(4)
--Admin
game.ReplicatedStorage.RemoteEvent:FireServer(1235)

ServerScript

local password = 1235

game.ReplicatedStorage.RemoteEvent.OnServerEvent:Connect(function(plr,key)
	if (key ~= password) then
		print(plr.Name.." tried to get access to an Event and failed!")
	elseif (key == password) then
		print(plr.Name.."knows the password!")
	end
end)

i am basically setting password that only trusted people will know or only the script will know.
so hackers would require password to make any changes.

17 Likes

no

An exploiter can easily look into the script.

7 Likes

No because exploiters can see anything stored in memory, including the variable ‘password’.

6 Likes

if it was so you need to type password in textbox?

4 Likes

But then every time your script wants to fire a remote, you would need to input a password. It’s impractical

4 Likes

then how would i make my game secure 100%?

or there is no way?

4 Likes

There is no way to make a game 100% secure.

The only thing that you can do is remember to Never trust the client.

Instead you can include checks to see that the values inputted into the remotes are not something crazy that a script would ever put in. For example, if you had a remote that gives the player money, (DON’T, that’s crazy), include checks to insure that when it should only be giving small amounts of money, that it doesn’t suddenly ask the server to give the player 1000000.

14 Likes

Thanks for your suggestion.

5 Likes

Depending on the game, yes there is. Just not the client.

7 Likes

can you show me some examples if so?

3 Likes

@RedcommanderV2 @RedDuck765 OP is matching a password sent through a remote with a password stored on the server Nobody can see this server value unless the game is leaked or somebody leaks the password. Regardless, exploiters do not have access to server scripts.


Do not use a key that can be easily shared to other people. People will be dishonest, that is just reality. Instead use an admin system, where you only allow players with UserIds that you manually add to a list serverside to use this remote.

5 Likes

This system could be bypassed even if you didn’t look in the script using the NaN comparison trick due to how it’s structured. Since NaN always returns false in comparisons it could be used to completely evade this check like so

Attacker:

game.ReplicatedStorage.RemoteEvent:FireServer(0/0)

Server:

game.ReplicatedStorage.RemoteEvent.OnServerEvent:Connect(function(plr,key)
	if (key ~= password) then
		print(plr.Name.." tried to get access to an Event and failed!")
	elseif (key == password) then
		print(plr.Name.."knows the password!")
	end
	print('Player either got the key or evaded it')
end)
4 Likes

NaN ~= password would match true? NaN doesn’t poison this.

4 Likes

Assuming he has code below this check.

3 Likes

That would work with any number other than the password, not just NaN.

3 Likes

so how i see from the comments there is no way to secure your game fully right?

3 Likes

There is. Not trusting the client will make your game 100% secure (speed hacks, aimbots, etc are a different story). You can’t secure the client code, but your server code is unreadable to hackers and can be bulletproof.

6 Likes

My bad I looked at the comparison wrong, Should of looked a bit closer.

4 Likes

Why are you trying to make a password for a remote event? Rather then comparing the passcode inputted why can’t you just compare a usersId?

Example:

game.ReplicatedStorage.RemoteEvent.OnServerEvent:Connect(function(plr)
	if (plr.UserId ~= YOUR_ID) then
		print(plr.Name.." tried to get access to an Event and failed!")
	else
		print(plr.Name.."knows the password!")
	end
	print('Player either got the key or evaded it')
end)

Could you put this in context as to what this is actually for? It states admin in your commenting which makes me believe that this is an event that could only be ran by admins (aka, you, etc…)

8 Likes

You can do your best to secure your game by double checking server side whether or not remote calls are realistic. Do not give the client the ability to decide whether or not they have admin rights (such as through a password system).

6 Likes