Yes it is "safe" since whatever is in memory is in your server's memory and should not be able to be read externally.
Safe is in quotes as everything is relative and the risk level depends on your perceived threat model - i.e. what threats are you trying to defend against?
The much publicised Heartbleed bug allowed attackers to retrieve items from servers' memory in 64KB chunks. However, the strategy here is to have a vulnerability management (patching process) in place rather than coding round these types of problems.
Regarding encrypting passwords - this is something you should rely on HTTPS for rather than encrypting them on the client in Javascript. When they arrive on your server store and compare them in hashed format using a slow algorithm such as bcrypt, scrypt or pbkdf2. Also use cookies marked with the secure & http only flags, implement a HSTS policy and you should be good to go on the password storage and transmission front.
CERT's advice regarding handling sensitive data in memory is here.
The parts most relevant to your question are:
- Disable memory dumps.
- Do not store sensitive data beyond its time of use in a program.
- Do not store sensitive data in plaintext (either on disk or in memory).
- If you must store sensitive data, encrypt it first.
- Securely erase sensitive data from disk and memory.
This means that while the whole hashing scheme is to prevent an
attacker from gaining access to passwords EVEN IF the server is
compromised, a skilled hacker could get at it anyway.
Remember that having a secure system does not only mean you need to have secure coding practises and secure infrastructure. This is because you can never have 100% security. Part of the puzzle that this would be missing is any form Intrusion Detection/Prevention (IDS/IPS). This takes the view that systems will be compromised at some point, so rather than trying to prevent every conceivable type of attack, you instead detect it, allowing you to take appropriate immediate action. This would cover you in the event that an attacker managed to compromise your system and started to harvest credentials as they arrive during the login process.