Well the password question is easy. The password is encrypted before it leaves the computer where the password was typed in so anyone sniffing traffic on the internet will be stopped because the password is in plain text.
To prevent replay attacks you can reference the RFC for the TLS protocol.
http://tools.ietf.org/html/rfc4346#appendix-F.2
Outgoing data is protected with a MAC before transmission. To prevent message replay or modification attacks, the MAC is computed from the MAC secret, the sequence number, the message length, the message contents, and two fixed character strings. The message type field is necessary to ensure that messages intended for one TLS Record Layer client are not redirected to another. The sequence number ensures that attempts to delete or reorder messages will be detected. Since sequence numbers are 64 bits long, they should never overflow. Messages from one party cannot be inserted into the other's output, since they use independent MAC secrets. Similarly, the server-write and client-write keys are independent, so stream cipher keys are used only once.