Login password encryption with active directory

Question

My MVC5 application usage Active Directory and I am unable to use default .Net provided password encryption as AD doesn't support it.

My Controller is:

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Login(Account user)
{
    if (ModelState.IsValid)
    {
        if (Membership.ValidateUser(user.UserName, user.Password))
        {
            var principal = user.GetUserPrincipal(user.UserName, user.Password, user.DomainName);
            if (principal != null)
            {
                FormsAuthentication.SetAuthCookie(user.UserName, user.RememberMe);
                var returnUrl = GetRedirectFromLoginUrl();
                if (Url.IsLocalUrl(returnUrl))
                    return Redirect(returnUrl);
                else
                    return RedirectToAction("Index", "Home");
            }
            else
                ModelState.AddModelError("", "User Principal not created.");
        }
        else
        {
            ModelState.AddModelError("", "Login data is incorrect!");
        }
    }
    else
        ModelState.AddModelError("", "Login data is incorrect!");

    return View("Login", user);
}

The login works fine however I have a security issue. I can see my username, password, domain, etc. in clear text when I capture the data using IE9 developer tools (screen below):

__RequestVerificationToken=S-DKCSoudfTYsoBh4fj...&UserName=test&Password=testpassword&DomainName=domainName

Web.Config has this code:

<membership defaultProvider="ADMembership">
  <providers>
    <clear/>
    <add name="ADMembership" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionStringName="ADConn" attributeMapUsername="sAMAccountName" />
  </providers>
</membership>

Please help how to encrypt or hide the password.

Answer 1

Looks like this is the default behaviour in IE developer tools. I tried to login in Google, Microsoft sites and it also shows the password in plain text.

I dont know if this is security issue in IE or not but this is how its behaving.

Steps to view your passwrod:

1. Open Gmail or Live.com in IE9 (I tried in IE9)
2. F12 (open Developer Tools) -> Go to Network tab
3. Click Start Capturing button
4. Enter username/password (you can enter anything to test)
5. click Stop Capturing and then go to detailed view
6. in grid click on POST row and Go to "Request Body" tab
7. see the code with password as plain text at the last of _RequestVerificationToken......

If anyone finds any better solution, please let me know.

Answer 2

Has this question been answered? I just created a quick, MVC4 web app using VS2012. Set the project properties SSL Enabled to true and launched the project (set the solution root to the assigned ssl:port). And yep, you CAN SEE the password (and user ID) in plain text. So nothing to do with AD - it's either intended or a bug.

NOW FOR THE INTERESTING AND SCARY - and StackOverflow, PLEASE READ.

When I do the same F12 view logging into THIS SITE, I also see my user name and password IN PLAIN TEXT!

So either this is a "feature" of IE or potentially a bug in VS and a concern for all of us in StackOverflow.

Please respond ASAP. And BTW, I tried the same test with my bank log in and nope, you see nothing or encrypted text.