You misunderstand. You shouldn't have the password in memory. The password should basically never exist beyond the fractional second that you are validating it.
I know that. Which is why the hash should include just the password, and not a bunch of other data that would require having the password in plain text again just to let the user change something in their profile.
