Firebug can see the password because it is acting as a proxy on your client (one of the two endpoints of the communications path). SSL/TLS (https) encrypts the data in transit between the two endpoints (think of it as a protected tunnel where the only way to see the real data inside is to be at one of the endpoints). Since Firebug runs on the client, it has access to the endpoint, where the data is not encrypted. Think of a tunnel you can pass data into that will be protected in transit; Firebug sits at the entrance to that tunnel so it can see everything that goes in (and comes out).

At a minimum, sending passwords (and any other sensitive data) should be done over SSL/TLS, to prevent someone/something not on an endpoint of the tunnel from seeing the data. Ideally, you will want to run everything over https to prevent session hijacking attacks (you can read all about that in the Wikipedia summary). Any site not encrypting at least the exchange of credentials (passwords, etc) is not following industry best-practices and should be considered an insecure implementation.