password is a function name in MySQL. Function names, like reserved words, must be enclosed in backticks to be used as a field name.
Personally, I'd say put backticks around all database, table and column names.
Using "bare" names in MySQL is akin to using bare strings in PHP. Sure, $foo = bar; will work, but it relies on bar not being a constant. Well, in MySQL, you are relying on your column names not being reserved words. Same thing. Use backticks!
