Hello @ZS
All B2C calls are by default over HTTPS, which includes the POST call to set or change the password in the B2C directory as well. To modify the body of the POST call, the call needs to be decrypted first.
If you are storing the password in an external database or external system via REST API Technical Profile, you need to make sure that the service URL in that Technical Profile is also configured to use HTTPS and not HTTP.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.