I’m almost done with my game and I want to make sure it is secure from exploiters. I thought of a good idea would be to send a “password” as a parameter through the remote event. So it would look something like this:
Exploiters can unfortunately see all of the variables in your game, and what’s passed through RemoteEvents.
I also strongly advise you to not fire events such as giving coins to a player on the client - I recommend you do all of that on the server - without events.
Security through obscurity isn’t really secure. It just takes one exploiter to use RemoteSpy—they don’t even have to decompile your LocalScripts—and that method won’t be effective at all anymore. Also, that specific code will never work, since password will always be the player who fired the event.
I’d like to add onto this a little bit, to emphasise good points that have already been made by @TheRings0fSaturn and @rogchamp
It also makes no difference if you’re using a static password or a dynamic password (such as a key that changes via a pseudo-random key). In order to generate a pseudo-random key, you need to store the state of that which can be called as the regular client and it will be generated for the exploiter.
You’re best doing what has already been suggested, making sure to never trust the client as much as feasibly possible. You can obscure your RemoteEvents by sending your information in a custom binary format, but this is only an additional layer of obscurity and it isn’t guaranteed to be 100% secure, as nothing is.
This wouldn’t work although you can catch exploiters by adding “Fake Remote Events”, so you create a RemoteEvent called “GetAdmin” or anything thats interesting, everytime its fired you can Ban the player.
Having a hard coded password is a bad idea - it will not work.
History has, however, proven that using a dynamic password along with some encryption or hashing algorithms can be useful in stopping the… not as capable exploiters. If you want to decrease the number of people figuring out how to exploit your game, be my guess. That won’t be able to stop all exploiters though.
TLDR; Using a password system can be effective (edit: see Phantom Forces’ old serializer), but it’s only effective in that it stops beginner/intermediate level exploiters. As you have most likely seen a number of times, never trust the client. Place all critical infrastructure on the server. That is how you prevent exploiters almost entirely.