I just send username and password over https. Is this ok?

This is fine. You don't need to do anything else. There is no need to hash it or obfuscate it in RAM.

You should be careful to hash the password appropriately on the server side before storing it in persistent memory (e.g., in a database), and you should take care to use proper methods for password hashing. See, e.g., How to securely hash passwords?, Which password hashing method should I use?, Most secure password hash algorithm(s)?, Do any security experts recommend bcrypt for password storage?.

If you want to provide additional security for your users, here are some steps you could take:

• Use site-wide SSL/TLS. Any attempt to visit your site through HTTP should immediately redirect to HTTPS.

• Enable HSTS on your site. This tells browsers to only connect to you via HTTPS. Paypal uses it. It is supported in recent versions of Firefox and Chrome.

I'm not saying you need to do these things (though site-wide SSL/TLS makes a big difference). But these are some options that can help strengthen security against some common attack vectors.

One additional thing you could do would be to use client certificates. The server can only guarantee to itself that there is no MitM by requiring a client cert. Otherwise, he has to trust the client to properly validate the absence of a MitM. This is more than a lot of services should be willing to trust.