Modern browsers and OS kernels have extensive mitigations against this. Reliably extracting a password from a browser process's heap would be newsworthy today.
I think “just” is apt. If you have a web request to send the password, you will have a url or username string very close by in memory that can be searched for.