now you're being disingenuous. the passwords aren't stored in server memory. the passwords aren't stored anywhere, because they're hashed + salted. the most that can be stolen are the hashes.
You're mistaken. After OpenSSL decrypts data it recieves from the client it temporarily stores it in RAM. You can use heartbleed to get the POST data or part of it when a user logs in if you can time it right. The POST data of course contains the password in plaintext, the hashing is done server-side.
It is difficult to time it right but it does work. However it is incredibly easy to steal session id's using heartbleed as the session id is sent every time a user views a page. An attacker can then use that session id to login as the user.