This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(220.8, 61%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERK%3C/text%3E%3C/svg%3E)
Hi Team,
We are using custom policies for sign in and sign up of ad b2c user flows. The password is shown as plain text in form data when user signs in or signs up which seems to be a security flaw and makes system vulnerable for attack ...how can I encrypt the password being sent..?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 0%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVM%3C/text%3E%3C/svg%3E)
@Ronnie Kapoor I just wanted to check in and see if you had any other questions or if you were able to resolve this issue? If you have any other questions, please let us know.
Thank you for your time and patience throughout this issue.
=========================================================================================================
Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.
Hi @Ronnie Kapoor • Thank you for reaching out.
You may consider using Hash claims transformation for this purpose, as mentioned below:
<ClaimsTransformation Id="HashPasswordWithEmail" TransformationMethod="Hash">
<InputClaims>
<InputClaim ClaimTypeReferenceId="password" TransformationClaimType="plaintext" />
<InputClaim ClaimTypeReferenceId="email" TransformationClaimType="salt" />
</InputClaims>
<InputParameters>
<InputParameter Id="randomizerSecret" DataType="string" Value="B2C_1A_AccountTransformSecret" />
</InputParameters>
<OutputClaims>
<OutputClaim ClaimTypeReferenceId="hashedPassword" TransformationClaimType="hash" />
</OutputClaims>
</ClaimsTransformation>
Read more: https://learn.microsoft.com/en-us/azure/active-directory-b2c/general-transformations#hash
Having said that, the traffic to Azure AD B2C is sent over HTTPS and form data is visible when you have access to the private key to decrypt the SSL traffic. If you are checking it using Fiddler or Browser Tools (F12), you must be seeing the decrypted traffic but if some malicious user captures the traffic over the network, he/she won't be able to inspect the SSL traffic.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 11%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKG%3C/text%3E%3C/svg%3E)
Hello @AmanpreetSingh-MSFT ,
I see this is a 3 year old post and response.
I still have a question on the same topic where the form data is going as plain text.
Though it goes via Https, the possibility for MiTM still exists. It also doesnt solve the defence in depth mechanism and the connection starts from the browser where it can still be sniffed. what is your thought and solution for the same ?