Passwords for remote events?

Recently, I’ve been thinking of ways to prevent hackers from exploiting remote events. I came up with the idea to add passwords to remote events so hackers can’t just enter the parameters of the event and execute a random server function.



local Event1Password = "6345342345557465!!!?????///erfdwerf"

Event1:FireServer(Parameter, Parameter, Event1Password)


local Event1Password = "6345342345557465!!!?????///erfdwerf"

Event1:OnServerEvent:Connect(Function(Parameter, Parameter, Password)
     if Password == Event1Password then
          -- Blah Blah Blah

Is this a good idea? Is there anything else that would would similarly? Please let me know :smile:

The problem with the client is exploiters can just check the local script and have the password.


I thought exploiters could only detect if a script exists and not read it?

They could just get the password when it’s fired.

1 Like

Anything on the client can be taken. Models, scripts, etc.

The only way I can think of doing something like this is a randomly generated cryptographic signature that updates every time the remote is fired (or is generated based on a date time) and has validation on the server and then heavily obfuscated local script code. The problem is security through obfuscation like this still doesn’t work it just makes it a little bit more annoying to reverse engineer. If you put garbage functions that don’t do anything and obfuscate that along side it, eventually it’d be really difficult to tell how the cryptographic signature is generated and how the event is fired, but it’s still not a perfect solution at all.


Exploiters can see anything on the client, including client arguments.

1 Like

This helps a lot, thanks :grin:

I have heard of games using passwords with remotes before, however from what I gather the passwords don’t change on their own (it’s usually changed every now and then by the dev) meaning exploits would just fire it with the password required and be unaffected.

1 Like

Is there any other way to protect remote events? I’ve had a hard time finding alternatives :pensive:

Even if you did create a password system AND it was incredibly difficult to find the password, exploiters are able to change the arguments in remotes before they are sent to the server, meaning that they could just edit the values to whatever they please.

Server-side sanity checks.

Like someone said before, anything on the client get be taken and manipulated

Even if the developer does change the key every few days or what not, exploits have the ability to get the arguments of a remote event call, thus being able to automate this

Just do sanity checks on the server and you should be fine

Sanity check? never head of it

edit: nvm sorry