I have two microservices. Microservice A is sending a request to microservice B to register a user in the system, in the request there is a plain text password. Data exchange between those services is HTTP based.
The connection between those microservices is purely local so basically I should not really worry about password leaking anyhow but is it really a good programming practice to not encode password even between two local microservices?
The rule is that sensitive information should never be exchanged in plain text over an insecure connection. If you are in a fully closed environment, typically 2 services in the same host machine, encryption does not matter. But if the application is splitted in multiple services, those services could later be hosted in more distant places with a less secure network between them.
In that case a simple way is to protect the whole connection with SSL. HTTPS is no longer a too heavy load for nowadays servers, so it is an easy way to encrypt everything between the client part and the server part.
The nice point is that through proxying and reverse-proxying, it is easy to protect the communication between two java services without the services themselves seeing it. So if for any reason you cannot directly process HTTPS inside the microservices, you can always rely on Apache or nginx (reverse-)proxies to encrypt the communication between the microservices is it later use an insecure network. BTW, it is the common way to use HTTPS on Java servlets: the servlet is hosted in a Tomcat (or any other servlet container), and hidden behind an Apache httpd server (or any other reverse proxy) that handles the HTTPS part, and optionaly can serve static content.