Your scripts look like you're trying to require both a private key and a password. As you said, an intermediary or miner could get the password and try to do something with it before the transaction gets in a block, and of course you'd only want to use that "address" once.

But if you're trying to require knowing two things, then you're probably better off just doing a 2-of-2 multisig transaction. And if you want one of the keys to be something short and memorable (to do something similar to a 2-factor auth, I guess) but not intended to be used on its own, just have the second key be the SHA256(password). That is, have a traditional random private key, which is stored on your computer, and use the hash of your password as the second private key, and require both keys to spend the transaction. That way, the password won't be in the clear in transit (since you're just "signing" using it), and it fits a "standard" transaction type so it'll be easier to relay and get into a block.